Where developers come to connect, share, build and be inspired.

36

Ubuntu server essentials

3437 views

Essential steps if you're configuring your server manually. If you are looking for something a little more automated, check out my Ansible playbook tailored for Ruby on Rails hosts. This tip is basically the same as the common role there.

Do this after installing Ubuntu 12.04 LTS. I am assuming you've installed Ubuntu via a console session, have created a user account for yourself during that process and you've chosen to have unattended security upgrades there.

as root

vi /etc/ssh/sshd_config

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

Keep your SSH connection open. Do not restart sshd yet.

on your local machine

cat ~/.ssh/id_rsa.pub

Place the contents of that file (it's your public key) into ~/.ssh/authorized_keys on the remote host.

Now SSH into the host with a new terminal window. It should not ask for a password.

did it work?

as root

service ssh restart

From now on, log into the host as yourself and use sudo if you need to be root.

essential updates

$ sudo apt-get update
$ sudo apt-get upgrade

get the firewall going

https://wiki.ubuntu.com/UncomplicatedFirewall

$ sudo ufw default deny
$ sudo ufw limit ssh
$ sudo ufw allow http
$ sudo ufw allow https

add any other service you want exposed

$ sudo ufw enable

Comments

  • Untitled-2
    euantor

    Missed the key first step:

    sudo apt-get update && sudo apt-get upgrade
    

    It's all well and good installing stuff but the first step should always be to update your sources and packages when stating on a new machine of any kind.

  • Blank-mugshot
    lucasmr

    A little correction - the file you need to edit to block password connections to the ssh daemon is /etc/ssh/sshd_config

  • Avatar_joost
    tilsammans

    @euantor good call. I will add it.

  • Blank-mugshot
    askalot

    Excellent tip! Very handy.

  • Av_ik_mezelf_nov_2010_jpg
    franklin

    1. Try sudo before restarting ssh! When you're not in a /etc/sudoers group you lock yourself out.

    2. In the sshd_config add AllowUsers user1 user2 to limit access to those who really need it. ;)

  • Avatar_joost
    tilsammans

    sudo before a service restart is implied.

    When configuring sshd to only allow key-based login, in my opinion the logins are secure enough. I don't care for the extra layer in sshd_config, and in practice does not add a whole lot when public keys are added to arbitrary user's authorized_keys.

Add a comment