Context:
In this article, I share some of the points I feel I need to do and the reasons to do when setting up a new ubuntu server based on my personal experience and based on repeated errors in my team There are many types of articles like this. Written and from famous clouds and websites, you can refer to the above to get other scopes that are suitable for your working environment and setup standards. I am used to working with Ubuntu Server environment but most of these tasks are common to other Linux environments.
Main content:
- Create user & configure for new user.
- Configure ssh:
- Swap file configuration
- Firewall configuration
- DNS configuration
- Make sure the system is up to date
I. Create user & configure for new user.
Why:
Usually a new server when init will be set up with a default user, which can be root (eg Digital Ocean), or default user according to linux distro (eg Aws ubuntu for Ubuntu or ec2-user for Amazon Linux), only There are a few clouds that allow you to enter the desired user when initializing/provisioning the server. So if using the default user, what is the risk?
- If it is Root: this is extremely not recommended, because the root user is the ultimate user with the highest privileges of the system. Therefore, minimizing common tasks with the root user is mandatory, using root is both difficult for management and creates many security risks.
- If you are a non-root user: Avoid zero-day errors or other exploits by brute-force attack bot scripts & find default configs to exploit.
What:
- Create new user & group: to solve why above.
- New Group (optional) : similar to user, if normally cloud is created with root account then only root group is created by default, and when user is created a new group is created with the same name as user, but in my opinion, just create another default group (eg your product name)
- Give new users sudo access (optional and considered) : this will give the user permission to perform tasks related to root privileges (I like the term rooting), but it should be considered. or not depends on your needs, because more rights come more risks and responsibilities, the right person in the right job is the right thing.
- Allow using sudo without entering a password (options & considerations) : this increases convenience, but reduces security, if you need to
How:
Create new user & group
1 2 3 4 5 6 | <span class="token comment"># Create new user & group</span> <span class="token function">sudo</span> adduser newuser <span class="token function">sudo</span> addgroup newgroup <span class="token function">sudo</span> <span class="token function">usermod</span> -g newgroup newuser |
Add user to sudo group
1 2 | <span class="token function">sudo</span> <span class="token function">usermod</span> -aG <span class="token function">sudo</span> newuser |
Use sudo without password
1 2 3 4 5 | <span class="token function">sudo</span> <span class="token function">cp</span> /etc/sudoers /root/sudoers.bak <span class="token function">sudo</span> visudo <span class="token comment">### Add this line to end of the file</span> newuser <span class="token assign-left variable">ALL</span> <span class="token operator">=</span> <span class="token punctuation">(</span> ALL <span class="token punctuation">)</span> NOPASSWD: ALL |
II. Configure ssh:
Why:
SSH is the gateway to most Linux servers, so making sure the parameters are configured correctly and sufficiently is essential to strike a balance between usability and security of the server.
What:
Configure ssh access using ssh-key: in my opinion, using ssh key ensures better security (unless you leak your private key), and is also much more convenient. If you have 1 server, it doesn’t matter when ssh enters password every time, but 100 servers is extremely tiring, and also very difficult to perform automation tasks.
Explore more:
- https://www.sharetru.com/blog/why-use-ssh-key-authentication-for-sftp-instead-of-password-authentication
- https://www.hostwinds.com/tutorials/ssh-password-vs-key-based-authentication Configure some parameters of the ssh service to increase security:
- Change ssh port
- Disable root login
- Disable ssh login with password
- Whitelist IP can access the server via SSH
How:
** 1. Configure ssh access using ssh-key.** From your local or bastion host **Gen new ssh key **
1 2 | ssh-keygen |
Copy ssh key to server ssh-copy-id -i <path/to/private/key> username@serverip
2. Setting ssh parameters Edit file /etc/ssh/sshd_config
with the following contents
1 2 | <span class="token function">sudo</span> <span class="token function">vi</span> /etc/ssh/ssd_config |
1 2 3 4 5 6 7 8 9 10 | <span class="token comment"># Change value as the content bellow</span> <span class="token comment">#Port 22</span> Port <span class="token number">2349</span> <span class="token comment">#PermitRootLogin yes</span> PermitRootLogin no <span class="token comment"># PasswordAuthentication yes</span> PasswordAuthentication no ListenAddress <span class="token number">0.0</span> .0.0 |
Note with listen address 0.0.0.0
allows access from any ip address, if you want to specify one and separate IP, you can add multiple lines
1 2 3 4 | ListenAddress <IP1> ListenAddress <IP2> ListenAddress <IP...> |
** Restart ssh service to apply the configs**
1 2 | sudo service ssh restart |
3. (Optional) Configure ssh information on the local machine for easy access
1 2 3 4 5 6 | Host server_group.server1 hostname server_1 port 2349 user newuser identityfile </path/to/private key> |
III. Swap file configuration
Why:
The swap partition / swap file I see is rarely mentioned in the new ubuntu / linux server setup tutorials, maybe by default the physical servers are already set up during partitioning and OS installation, so they are often ignored. But with VPSs, according to VPS setup from the cloud with less than 4G ram and no swap partition, setting up a small swapfile partition is necessary according to my personal experience.
- When the applications in the server have a high demand for Ram in a short time. (eg file upload, export excel file, …) then there may be cases where Ram is fully used, leading to freezing of the entire server, often having to wait a long time for the OS to kill a few programs to solve the problem. free up memory so the server can serve the request again, or worse, the server and have to manually hard reboot (and possibly crash the entire hard drive because of this))
- With servers with high RAM capacity, I see this happening less often, because the free RAM space seems to be enough to not fall into these worst cases.
What:
So how much Swapfile configuration is enough?
- In my opinion, only 25% to 50% of Ram should be configured. Since it should only act as temporary memory, if there is a need to use more memory, you should consider using a machine with a higher ram capacity.
- If the swap capacity is set too high, it may lead to an unexploited swap situation, but the cpu is blocked because it has to wait for the IO task to transfer data between Ram vs Disk. A classic case that can be encountered when using Aws EC2 with EBS GP2 is when using many swaps, and the disk io task of EBS is limited according to GP2’s configuration, a very annoying situation occurs. then free, (low load, but extremely high io) because the CPU waits for Disk to return data to swap in/out ram, Disk has limited IOPS capacity due to the limitation of the drive type, and the request from the client the app can’t be served
How:
1 2 3 4 5 6 7 8 | sudo fallocate -l 4G /swapfile && sudo chmod 600 /swapfile && sudo mkswap /swapfile && sudo swapon /swapfile && sudo swapon -s && sudo cp /etc/fstab /etc/fstab.bak && echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab |
More reference: https://gist.github.com/ngtrieuvi92/033de7ea8c880a9a500bf8df234ca6d2
IV. Configure the firewall to open only common ports
Why:
Firewall is a classic topic and I don’t need to explain much, the principle is to open as few ports as possible.
What:
Usually, I only open ssh, http, https ports and open other ports when I really need it
- On ubuntu you can use ufw , or on other linux servers or more complex configs you can install and use iptables
- On the cloud, you can be lazy to configure these steps and use the inbound/oubound/security group setup concepts provided by the cloud to setup, for example Aws: https://docs.aws.amazon.com/AWSEC2/latest /UserGuide/ec2-security-groups.html
How:
**With ubuntu server: **
1 2 3 4 5 6 7 8 | sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22 # or custom ssh port sudo ufw allow 80 sudo ufw allow 443 sudo ufw enable |
More reference: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04
V. DNS Configuration
Why:
This may not be necessary on some well-known clouds (Aws, GCP, Azure, …) but on some other VPS provider platforms. If left with the default DNS resolver set up by the OS, the domain resolution is quite bad and intermittent, (my actual experience with Time4vps or Servarica
What:
It is recommended to use some popular DNS servers such as:
- Google: 8.8.8.8
- Cloudflare: 1.1.1.1
- ….
How:
Simple way sudo vi /etc/resolv.conf
Add new line
1 2 3 | nameserver 8.8.8.8 nameserver 8.8.4.4 |
Restart service
1 2 | service systemd-resolved restart |
Using netplan Netplan is a new utility introduced by ubuntu from Ubuntu 17, Netplan provides more options to configure and can be applied to each network interface separately, depending on your needs you can refer to how to use:
- https://www.serverlab.ca/tutorials/linux/administration-linux/how-to-configure-networking-in-ubuntu-20-04-with-netplan/
- https://www.linode.com/docs/guides/systemd-networkd/
BECAUSE. Update updates
Why:
Simple: to make sure the packages in the system are fully updated
What:
Just follow the package management provided by the OS to run
How:
1 2 | sudo apt update |