This tutorial will help you to set up a secure Ubuntu server from scratch.
Keep in mind that this is not a common tutorial, this is the culmination of all the knowledge I have gathered from managing my own servers for more than three years.
Before we start
While this tutorial is focused on Ubuntu 20.04, it can be used for many other versions, like 18.04 and 16.04. As they are very similar.
- An Ubuntu server
- Access to your server
It doesn't matter if your server is hosted on DigitalOcean, Google Cloud Engine or Amazon Web Services, Ubuntu should be the same.
If you don't have a server you might want to look at the Useful resources step.
The first and probably most important step is to always keep the system up-to-date. To do so just open the terminal to update and upgrade the packages via apt.
sudo apt update # Update package information sudo apt full-upgrade -y # Upgrade packages sudo apt autoremove -y # Remove unnecessary packages # One liner sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y
Now that the packages are updated, we should install an automated solution to keep the system always up-to-date.
This tutorial on Linuxize will help you install and configure the
unattended-upgrades package, which is exactly what is needed.
Using the default super user
root is always bad practice, it does everything with the maximum level of permissions, allowing you to break anything; and more critically... Access to anything on the system.
Instead, we should use a normal user with super user privileges. This tutorial on DigitalOcean will guide you to do that.
Now that you have a new user with super user privileges, you might want to SSH in your server with it, but might find that you can't.
This is because the credentials were stored on the user you were using before, most likely
root. Just SSH again with the previous user and copy the credentials to the new user with the
rsync utility package.
Follow the 5th step of this tutorial on DigitalOcean to do so.
SSHD manages the SSH connections to the server. Its default configuration is good but some changes must be made, like disabling the
root user login and changing the default
Follow the first step of this tutorial on DigitalOcean to learn how to configure SSHD.
It is recommended that you change the default
UFW is Ubuntu's default firewall and is extremely useful. By default it allows
ssh connections, depending of your use case you might not need some of those rules.
Check out this tutorial on DigitalOcean to learn how to configure UFW.
If you changed the
SSHport on an earlier step, you might want to create a new UFW rule for that port.
Fail2Ban protects you from brute-force attacks. It bans bad actors from accessing the server for a specified quantity of time.
Learn how to install and configure Fail2Ban with this tutorial on Linuxize.
These are some quick specific guides that you should keep in mind if you use any of this software.
Nginx has various configuration files, its defaults are pretty good but you might want to take a look at it.
Use this tutorial on Acunetix as a starting point.
There is also this pretty nifty tool by DigitalOcean that allows you to configure Nginx in a visual manner. It includes popular presets, for example for NodeJS and PHP applications.
Apache might require more work, as its defaults leak some information about your system.
Start your configuration journey with this tutorial by Tecmint.
I have used MySQL and MariaDB on the past, by default their ports are opened externally, that shouldn't be allowed, as it is a security risk.
The database should only be allowed from local connections; or if ran externally, by whitelisted IPs.
- Learn how to configure MySQL with this tutorial on DigitalOcean.
- Learn how to configure MariaDB with this tutorial on DigitalOcean.
Now that you have your own secure infrastructure, you might want to create applications and services.
Dokku is perfect for that. It allows you to containerize, build and run your applications with a simple
Check out my own tutorial to learn how to set up and use Dokku.
There are some parts that you might want to skip, as they are similar to this tutorial.
- How to get a free Google server forever, a perfect test environment for this tutorial.
- How to get 2x Oracle Cloud servers free forever, a more powerful alternative to the free GCE server.
- Create your own Heroku with Dokku on DigitalOcean, a guide to deploy your applications to your now-secure server.
If you have found this tutorial useful then you should follow me, I will be posting more interesting content! :')
Or support me financially. <3
- Any linked website and community for their wonderful tutorials and help
Top comments (2)
Would be worth using a security auditing tool like cisofy.com/lynis/. You'll be surprised how insecure Ubuntu is just out-of-the-box.
Lynis sounds like a wonderful tool, I'll try it!