Initial Server Setup Guide

Whenever you have a remote server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions. You should do (at-least) listed things here to get ready for any application you install.

Update your server

This should be done on daily basis. Updating computer is very important as it push security updates, newer version of software on your server. apt operation must be run as root or sudo.

apt update && apt upgrade -y && apt dist-upgrade -y

This may takes some time. You can have a cup of coffee and let it run the update.

Creating new user

Create your new user by issuing the command below:

adduser userN4me --force-badname

You can add your 'username' in form of 'l337sp34k' with the option --force-badname

Sudo Privileges

Give your new user sudo privileges!

usermod -a -G sudo userN4me

-a : Will append the user with a new group sudo
-G group : Add the user to group sudo
Change to new user:

su userN4me

Public key authentication

Make ssh directory in new user account.

mkdir ~/.ssh
chmod 700 ~/.ssh

Generate ssh-keygen in local computer if you don't have ssh keys.

ssh-keygen

Assume your local PC username is localuser

ssh-keygen output
Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_rsa):

Press enter to accept the default path (or enter your new path).

Next you'll be prompted to enter a key-passphrase leave it empty. Or if you put a passphrase, you'll be prompted everytime you want to connect ssh.

Note: If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.

This will generate id_rsa and id_rsa.pub in ~/.ssh directory. You will need to copy id_rsa.pub to remote server in ~/.ssh/authorized_keys

Go copy the key somewhere:

cat ~/.ssh/id_rsa.pub

In your remote server, make sure you're in the new user account. Paste the key inside ~/.ssh/authorized_keys.

nano ~/.ssh/authorized_keys

Restart ssh service

sudo service sshd restart

This is your first time entering 'sudo' command for the new user. It will prompt you to use 'sudo' wisely.

Disable SSH password authentication

This will disable password authentication when ssh-ing to your remote server. This will use public key that we generate above. This method is more secure.

sudo nano /etc/sshd/sshd_config

Uncomment below and set to 'no':

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

Find somewhere below:

PermitRootLogin no

RSAAuthentication yes
PubkeyAuthentication yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Permit root login to no to make sure root user cannot login through ssh. Enable public key authentication to yes so that you can login to ssh passwordless and using the key that we set up earlier.

Set up firewall

I suggest to use 'ufw' as firewall. It is easy compare to iptables. However, you can still use the iptables command without conflict with ufw. But again, I suggest you to use ufw. What ever iptables commands you ufw can do. Ufw is a simpler form of iptables.

Install ufw firewall.

sudo apt install ufw

Enable ufw firewall on system startup.

sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Allow ssh in ufw. View available applications:

sudo ufw app list
Available applications:
    OpenSSH
  
sudo ufw allow OpenSSH

Reload firewall.

sudo ufw reload

Set date and timezone

Select your timezone. This will automatically update your server date and time based on choosen timezone.

# view your current date
date
Wed April 2 19:20:19 +08 2018
sudo dpkg-reconfigure tzdata
date
Thu May  3 06:00:19 +08 2018