When you first create a new Ubuntu 16.04 / 18.04 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions.
Step 1 — Logging in as Root
To log into your server, you will need to know your server's public IP address. You will also need the password or, if you installed an SSH key for authentication, the private key for the root user's account.
If you are not already connected to your server, go ahead and log in as the root user using the following command (substitute the highlighted portion of the command with your server's public IP address):
Accept the warning about host authenticity if it appears. If you are using password authentication, provide your root password to log in. If you are using an SSH key that is passphrase protected, you may be prompted to enter the passphrase the first time you use the key each session. If this is your first time logging into the server with a password, you may also be prompted to change the root password.
Step 2 — Creating a New User
Once you are logged in as root, we're prepared to add the new user account that we will use to log in from now on.
This example creates a new user called sammy, but you should replace it with a username that you like:
You will be asked a few questions, starting with the account password.
Enter a strong password and, optionally, fill in any of the additional information if you would like. This is not required and you can just hit
ENTER in any field you wish to skip.
Step 3 — Root Privileges
Now, we have a new user account with regular account privileges. However, we may sometimes need to do administrative tasks.
To avoid having to log out of our normal user and log back in as the root account, we can set up what is known as "superuser" or root privileges for our normal account. This will allow our normal user to run commands with administrative privileges by putting the word
sudo before each command.
To add these privileges to our new user, we need to add the new user to the "sudo" group. By default, on Ubuntu 16.04 / 18.04, users who belong to the "sudo" group are allowed to use the
root, run this command to add your new user to the sudo group (substitute the highlighted word with your new user):
usermod -aG sudo sammy
Now your user can run commands with superuser privileges!
Step 4 — Disable PermitRootLogin (Recommended)
Now that your new user can use SSH keys to log in, you can increase your server's security by disabling PermitRootLogin. Doing so will restrict SSH access to your server to public key authentication only. That is, the only way to log in to your server (aside from the console) is to possess the private key that pairs with the public key that was installed.
Note: Only disable PermitRootLogin if you installed a public key to your user as recommended in the previous section, step four. Otherwise, you will lock yourself out of your server!
To disable PermitRootLogin on your server, follow these steps.
As root or your new sudo user, open the SSH daemon configuration:
sudo nano /etc/ssh/sshd_config
Find the line that specifies
PermitRootLogin, uncomment it by deleting the preceding
#, then change its value to "no". It should look like this after you have made the change:
sshd_config — Disable PermitRootLogin
When you are finished making your changes, save and close the file using the method we went over earlier (
Type this to reload the SSH daemon:
sudo systemctl reload sshd
PermitRootLogin is now disabled. Your server is now only accessible with SSH key authentication.
Step 5 — Set Up a Basic Firewall
Ubuntu 16.04 / 18.04 servers can use the UFW firewall to make sure only connections to certain services are allowed. We can set up a basic firewall very easily using this application.
Different applications can register their profiles with UFW upon installation. These profiles allow UFW to manage these applications by name. OpenSSH, the service allowing us to connect to our server now, has a profile registered with UFW.
You can see this by typing:
sudo ufw app list
Available applications: OpenSSH
We need to make sure that the firewall allows SSH connections so that we can log back in next time. We can allow these connections by typing:
sudo ufw allow OpenSSH
Afterwards, we can enable the firewall by typing:
sudo ufw enable
Type "y" and press ENTER to proceed. You can see that SSH connections are still allowed by typing:
sudo ufw status
active To Action From -- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
If you install and configure additional services, you will need to adjust the firewall settings to allow acceptable traffic in.