# The first 5 minutes on a Linux Server

When deploying a new Linux server, I always perform the same steps to introduce a basic level of security. In this article, I present those steps I take (and you probably should take them too) on a new server installation. Even though those steps probably apply to most Linux distributions, I mainly use Ubuntu for my servers nowadays. So before listing the specific steps, I quickly explain why I mostly use a minimal Ubuntu image.

## Why Ubuntu?

Ubuntu has rapidly become one of the most popular choices for server environments. This preference stems from Ubuntu's stability, ease of use, and robust support.

1. **Long-Term Support (LTS) Releases:** Ubuntu's Long-Term Support versions, released every two years, are a cornerstone of its reliability. These LTS releases are supported with updates for five years, ensuring stability and security without the need for frequent major upgrades. This long-term support is crucial for servers, where uptime and stability are paramount.
    
2. **Widespread Community:** With its growing popularity, Ubuntu has amassed a large and active community. This community provides extensive resources, forums, and documentation, aiding in troubleshooting and knowledge sharing.
    
3. **User-Friendly Yet Powerful:** Ubuntu strikes a balance between user-friendliness and advanced capabilities. Its package management system (APT) and extensive repositories make software installation and management a breeze. Ubuntu also maintains compatibility with a wide range of hardware, ensuring flexibility in server deployment.
    
4. **Robust Security Features:** Ubuntu is known for its strong security measures. Features like AppArmor, a mandatory access control framework, and regular security updates provide robust protection against vulnerabilities. The inclusion of fail2ban and unattended upgrades in server setups further fortifies its security posture.
    

## Initial Software Installation

Upon logging into your fresh Ubuntu server, the first step is to elevate to superuser status with `sudo -i`, providing full administrative rights. This is necessary for installing and configuring various essential packages.

```bash
apt update && apt upgrade -y
apt install -y fail2ban htop git curl wget gnupg lsb-release unattended-upgrades apt-transport-https ca-certificates locales nano vim
```

### Why These Packages?

* `fail2ban`: Protects against brute-force attacks.
    
* `htop`: Offers an interactive process viewer (better than `top`).
    
* `git`**,** `curl`**,** `wget`**,** `gnupg`: Essential tools for downloading and verifying files.
    
* `lsb-release`**,** `apt-transport-https`**,** `ca-certificates`: Tools required for secure software installation.
    
* `locales`: Supports system language preferences.
    
* `nano`**,** `vim`: Provides text editors for configuration.
    

Most other basic software like `cat` is preinstalled on Ubuntu (sometimes `curl` & `wget` are as well, but that depends on the image you used).

## Initial Configuration

Configuring the locale is vital for consistency in language and character encoding across the system. It ensures that your server interacts correctly with software and services. Edit `sudo nano /etc/locale.gen` and uncomment the language you need.

```bash
locale-gen
echo -e 'LANG="en_US.UTF-8"\nLANGUAGE="en_US:en"\n' > /etc/default/locale
```

### Hostname and Hosts File

Setting a descriptive hostname improves the manageability of your server, especially in a network of multiple machines.

```bash
sh -c 'echo "
127.0.1.1          <domain> <alias>
<YOUR IP>          <domain> <alias>
" >> /etc/hosts'
sudo hostnamectl set-hostname <domain>
sudo hostnamectl set-hostname "<alias>" --pretty
```

For `<domain>` I would use something like *node1.example.com* and for `<alias>` *node1*.

### Secure Log In

Creating a non-root user with sudo privileges enhances security by limiting root access.

```bash
useradd <username>
usermod -aG sudo <username>
```

Set up SSH keys for secure, password-less login. Setup the `.ssh/` folder and upload your public key.

```bash
mkdir -p /home/<username>/.ssh
chmod 700 /home/<username>/.ssh
chmod 400 /home/<username>/.ssh/authorized_keys
chown <username>:<username> /home/<username> -R
# then put your public ssh key into /home/<username>/.ssh/id_rsa.pub
```

Modifying the SSH configuration (`/etc/ssh/sshd_config`) to disable root login and password authentication significantly reduces the server's vulnerability to unauthorized access.

```bash
PermitRootLogin no
PasswordAuthentication no
```

Then run `service ssh restart`.

### Automatic Security Updates

Configuring unattended-upgrades ensures that your server stays up to date with the latest security patches, reducing the risk of vulnerabilities.

`/etc/apt/apt.conf.d/20auto-upgrades`:

```bash
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
```

Limiting automatic upgrades to security updates prevents unexpected changes in system behaviour due to non-critical updates.

`/etc/apt/apt.conf.d/50unattended-upgrades`:

```bash
Unattended-Upgrade::Allowed-Origins {
        "Ubuntu lucid-security";
};
```

## A Solid Start

The steps outlined provide a basic foundation for any Ubuntu server. There is a LOT more you can and should do to make your server more secure. But those are the absolute basics I always do before anything else!
