Last Updated: September 09, 2019
· tilsammans

Ubuntu server essentials

Essential steps if you're configuring your server manually. If you are looking for something a little more automated, check out my Ansible playbook tailored for Ruby on Rails hosts. This tip is basically the same as the common role there.

Do this after installing Ubuntu 12.04 LTS. I am assuming you've installed Ubuntu via a console session, have created a user account for yourself during that process and you've chosen to have unattended security upgrades there.

as root

vi /etc/ssh/sshd_config

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

Keep your SSH connection open. Do not restart sshd yet.

on your local machine

cat ~/.ssh/id_rsa.pub

Place the contents of that file (it's your public key) into ~/.ssh/authorized_keys on the remote host.

Now SSH into the host with a new terminal window. It should not ask for a password.

did it work?

as root

service ssh restart

From now on, log into the host as yourself and use sudo if you need to be root.

essential updates

$ sudo apt-get update
$ sudo apt-get upgrade

get the firewall going


$ sudo ufw default deny
$ sudo ufw limit ssh
$ sudo ufw allow http
$ sudo ufw allow https

add any other service you want exposed

$ sudo ufw enable

6 Responses
Add your response


Missed the key first step:

sudo apt-get update && sudo apt-get upgrade

It's all well and good installing stuff but the first step should always be to update your sources and packages when stating on a new machine of any kind.

over 1 year ago ·

A little correction - the file you need to edit to block password connections to the ssh daemon is /etc/ssh/sshd_config

over 1 year ago ·

@euantor good call. I will add it.

over 1 year ago ·

Excellent tip! Very handy.

over 1 year ago ·
  1. Try sudo before restarting ssh! When you're not in a /etc/sudoers group you lock yourself out.

  2. In the sshd_config add AllowUsers user1 user2 to limit access to those who really need it. ;)

over 1 year ago ·

sudo before a service restart is implied.

When configuring sshd to only allow key-based login, in my opinion the logins are secure enough. I don't care for the extra layer in sshd_config, and in practice does not add a whole lot when public keys are added to arbitrary user's authorized_keys.

over 1 year ago ·