Server Setup

Harden and configure a fresh Ubuntu 20.04+ server from first login to production-ready state.

Contents

  1. Initial Login & Update
  2. Create a Non-Root User
  3. SSH Hardening
  4. Configure UFW Firewall
  5. Install Fail2Ban
  6. Enable Unattended Upgrades
  7. Add Swap Space (Optional)

Initial Login & Update

After provisioning, SSH in as root and perform a full system update before anything else.

# Update package list and upgrade all packages
apt update && apt upgrade -y

# Set your timezone
timedatectl set-timezone America/New_York

Create a Non-Root User

Never operate a production server as root. Create a dedicated admin user.

# Create a new user
adduser craig

# Add to sudo group
usermod -aG sudo craig

# Switch to the new user
su - craig

SSH Hardening

Disable password authentication and root login to lock down SSH access.

# Copy your public key to the server (run from your local machine)
ssh-copy-id craig@your.server.ip

# Then on the server, edit sshd_config
sudo nano /etc/ssh/sshd_config

Set these values:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 2222          # optional: change default port
sudo systemctl restart ssh

Configure UFW Firewall

sudo ufw allow 2222/tcp   # or 22 if you kept default SSH port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status

Install Fail2Ban

Automatically ban IPs that repeatedly fail to authenticate.

sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban

# Check banned IPs
sudo fail2ban-client status sshd

Enable Unattended Upgrades

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Add Swap Space (Optional)

Recommended for servers with less than 2GB RAM.

sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# Make permanent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab