When deploying a new Linux server, I always perform the same steps to introduce a basic level of security. In this article, I present those steps I take (and you probably should take them too) on a new server installation. Even though those steps probably apply to most Linux distributions, I mainly use Ubuntu for my servers nowadays. So before listing the specific steps, I quickly explain why I mostly use a minimal Ubuntu image.

Why Ubuntu?

Ubuntu has rapidly become one of the most popular choices for server environments. This preference stems from Ubuntu's stability, ease of use, and robust support.

1. Long-Term Support (LTS) Releases: Ubuntu's Long-Term Support versions, released every two years, are a cornerstone of its reliability. These LTS releases are supported with updates for five years, ensuring stability and security without the need for frequent major upgrades. This long-term support is crucial for servers, where uptime and stability are paramount.

2. Widespread Community: With its growing popularity, Ubuntu has amassed a large and active community. This community provides extensive resources, forums, and documentation, aiding in troubleshooting and knowledge sharing.

3. User-Friendly Yet Powerful: Ubuntu strikes a balance between user-friendliness and advanced capabilities. Its package management system (APT) and extensive repositories make software installation and management a breeze. Ubuntu also maintains compatibility with a wide range of hardware, ensuring flexibility in server deployment.

4. Robust Security Features: Ubuntu is known for its strong security measures. Features like AppArmor, a mandatory access control framework, and regular security updates provide robust protection against vulnerabilities. The inclusion of fail2ban and unattended upgrades in server setups further fortifies its security posture.

Initial Software Installation

Upon logging into your fresh Ubuntu server, the first step is to elevate to superuser status with sudo -i, providing full administrative rights. This is necessary for installing and configuring various essential packages.

apt update && apt upgrade -y
apt install -y fail2ban htop git curl wget gnupg lsb-release unattended-upgrades apt-transport-https ca-certificates locales nano vim

Why These Packages?

• fail2ban: Protects against brute-force attacks.

• htop: Offers an interactive process viewer (better than top).

• git, curl, wget, gnupg: Essential tools for downloading and verifying files.

• lsb-release, apt-transport-https, ca-certificates: Tools required for secure software installation.

• locales: Supports system language preferences.

• nano, vim: Provides text editors for configuration.

Most other basic software like cat is preinstalled on Ubuntu (sometimes curl & wget are as well, but that depends on the image you used).

Initial Configuration

Configuring the locale is vital for consistency in language and character encoding across the system. It ensures that your server interacts correctly with software and services.

locale-gen --purge en_US.UTF-8
echo -e 'LANG="en_US.UTF-8"\nLANGUAGE="en_US:en"\n' > /etc/default/locale

Hostname and Hosts File

Setting a descriptive hostname improves the manageability of your server, especially in a network of multiple machines.

sh -c 'echo "
127.0.1.1          <domain> <alias>
<YOUR IP>          <domain> <alias>
" >> /etc/hosts'
sudo hostnamectl set-hostname <domain>
sudo hostnamectl set-hostname "<alias>" --pretty

For <domain> I would use something like node1.example.com and for <alias> node1.

Secure Log In

Creating a non-root user with sudo privileges enhances security by limiting root access.

useradd <username>
usermod -aG sudo <username>

Set up SSH keys for secure, password-less login. Setup the .ssh/ folder and upload your public key.

mkdir -p /home/<username>/.ssh
chmod 700 /home/<username>/.ssh
chmod 400 /home/<username>/.ssh/authorized_keys
chown <username>:<username> /home/<username> -R
# then put your public ssh key into /home/<username>/.ssh/id_rsa.pub

Modifying the SSH configuration to disable root login and password authentication significantly reduces the server's vulnerability to unauthorized access.

PermitRootLogin no
PasswordAuthentication no
service ssh restart

Automatic Security Updates

Configuring unattended upgrades ensures that your server stays up to date with the latest security patches, reducing the risk of vulnerabilities.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";

Limiting automatic upgrades to security updates prevents unexpected changes in system behavior due to non-critical updates.

Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
};

A Solid Start

The steps outlined provide a basic foundation for any Ubuntu server. There is a LOT more you can and should do to make your server more secure. But those are the absolute basics I always do before anything else!