Skip to main content

Initial Ubuntu server setup

·1040 words·5 mins·
Table of Contents

When deploying a fresh Ubuntu server (whether on a VPS, VM, or bare metal), it’s crucial to perform basic configuration and security hardening. This guide walks through the essentials: updating packages, configuring SSH, firewall, and essential packages.

Update and Upgrade Packages

sudo apt update && sudo apt upgrade -y

Install Essential Packages

When you spin up a new server, it helps to have a set of “must-have” utilities ready.

sudo apt install net-tools duf dnsutils htop pwgen unzip p7zip-full p7zip-rar lshw gnupg2 progress traceroute fail2ban software-properties-common

Here’s a quick rundown of what each package in our install command is for:

  • net-tools – old-school networking tools like ifconfig and netstat. Deprecated, but still handy when you need them.
  • duf – a modern disk usage tool that makes df and du look ancient. Clean tables, easy to read.
  • dnsutils – gives you dig, the go-to tool for checking DNS records.
  • htop – like top, but actually usable. Interactive, colorful, and shows what’s eating your CPU/RAM.
  • pwgen – quickly shows strong random passwords when you need one.
  • unzip – pretty self-explanatory: extracts .zip files.
  • p7zip-full / p7zip-rar – Supports many formats, including packing and unpacking of 7z, XZ, BZIP2, GZIP, TAR, and ZIP files.
  • lshw – spits out detailed info about your hardware: CPU, RAM, disks, etc.
  • gnupg2 – for encryption and signing. You’ll need it when verifying packages or handling GPG keys.
  • progress – neat little tool that shows progress bars for commands like cp or dd. Saves you from guessing.
  • traceroute – shows the path your packets take across the network. Handy for debugging weird routing issues.
  • software-properties-common – adds helpers like add-apt-repository, which makes managing repos a lot less painful.
  • fail2ban - security tool that helps protect from brute-force attacks by blocking IP addresses

Optional (useful for a VM in Proxmox):

sudo apt install qemu-guest-agent && sudo systemctl start qemu-guest-agent

SSH Configuration

Add Your SSH Key

nano ~/.ssh/authorized_keys
Note Permissions for sensitive SSH files must be set strictly for the file owner.

Specifically:
700 for directories, including ~/.ssh
600 for files, including ~/.ssh/authorized_keys
Otherwise, the system will simply not allow you to use them

Basic security configuration

sudo nano /etc/ssh/sshd_config

Settings to change:

  • Disable access by password
  • Enable access by key
  • Change port to any random port in my case it is 22060
PasswordAuthentication no
PubkeyAuthentication yes
Port 22060

Restart service

sudo systemctl restart ssh

Allow new SSH port

sudo ufw allow 22060

Fail2ban setup

The /etc/fail2ban directory is the primary location for Fail2Ban configuration files and logs. This directory contains several subdirectories and files that are essential for Fail2Ban’s functionality.

Here’s a breakdown of the key components:

  • action.d: This directory contains action scripts that Fail2Ban uses to ban IP addresses. These scripts are specific to the firewall or service being used (e.g., iptables, ufw, nftables).
  • filter.d: This directory contains filter configuration files that define how Fail2Ban identifies and bans IP addresses. These filters are specific to the service being monitored (e.g., SSH, HTTP, FTP).
  • jail.d: This directory contains jail configuration files that define the specific services Fail2Ban monitors and the rules for banning IP addresses.
  • paths-arch.conf, paths-common.conf, paths-debian.conf, paths-opensuse.conf: These files contain paths specific to different Linux distributions.
  • fail2ban.conf: This is the main configuration file for Fail2Ban, which contains global settings and options.
  • jail.conf: This file contains the default jail configurations for various services.
  • jail.local: This file is used to override the default jail configurations. It is recommended to create a jail.local file to ease upgrades and make customizations.
  • fail2ban.log: This is the main log file for Fail2Ban, where it records its actions and events.

Fail2ban comes with default configuration files that you can customize according to your needs. The main configuration file is located at /etc/fail2ban/jail.conf. However, it is recommended to create a local copy (/etc/fail2ban/jail.local) to prevent your changes from being overwritten during updates.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the local configuration file

sudo nano /etc/fail2ban/jail.local

In the configuration file, locate the [ssh] section and uncomment the lines and modify values to adjust Fail2ban’s behavior as shown.

  • maxretry: This defines the maximum number of failed login attempts before an IP address is banned.
  • findtime: This sets the time window within which the maxretry attempts must occur to trigger a ban.
  • bantime: This defines the duration for which an IP address is banned after exceeding the maxretry attempt.

Example configuration (modify as needed):

[ssh]
enabled = true
maxretry = 3
findtime = 10
bantime = 4h

In this example, the jail is enabled, the maximum retry attempts are set to 3 within a 10-second window, and banned IPs are blocked for 4 hours.

After making your desired changes, save the file and restart the Fail2ban service for the new configuration to take effect.

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban

To verify the status of the SSH jail and check if the IP address has been banned.

sudo fail2ban-client status sshd

If you need to unban the IP address, use the following command.

sudo fail2ban-client set sshd unbanip 192.168.122.1

Docker setup

Set up Docker’s apt repository.

# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

Install the Docker packages.

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Verify

Verify that the installation is successful by running the hello-world image:

sudo docker run hello-world

This command downloads a test image and runs it in a container. When the container runs, it prints a confirmation message and exits.

(Optional) Manage Docker as a non-root user

To create the docker group and add your user:

  1. Create the docker group.
sudo groupadd docker
  1. Add your user to the docker group.
sudo usermod -aG docker $USER
  1. Log out and log back in so that your group membership is re-evaluated.

    If you’re running Linux in a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

You can also run the following command to activate the changes to groups:

newgrp docker