Digital Ocean - steps

Initial Server Setup with Ubuntu 16.04

https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04

https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-ubuntu-14-04-servers

Purpose: To increase the security and usability of your server.

You need ip address of your server & password.

1. Create a New User to prevent using ROOT everyday

ROOT is too powerful to use everyday.

$ ssh root@your_server_ip // login as root

$ adduser UserName
$ usermod -aG sudo UserName // add user to sudo group

2. Add Public Key Authentication

set up public key authentication for your new user.

$ ssh-copy-id UserName@your_server_ip

3. Disable Password Authentication

New user can only use SSH keys to log in, not password.

sudo nano /etc/ssh/sshd_config
# in `sshd_config`
PasswordAuthentication no
# the following lines are needed, but they should already be a default.
PubkeyAuthentication yes
ChallengeResponseAuthentication no

4. Test

Test it before you logout!!!

Open new command line and try to login again.

$ ssh UserName@your_server_ip

5. Set Up a Basic Firewall

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

Ubuntu 16.04 servers can use the UFW firewall to make sure only connections to certain services are allowed.

UFW: Uncomplicated Firewall, is a front-end to iptables.

Firewall denies traffic to every port except for ports/services you have approved.

# see a list of allowed connections.
$ sudo ufw app list

# check status
$ sudo ufw status

# add service to ufw
$ sudo ufw allow OpenSSH
$ sudo ufw enable
# SSH - port 22
$ sudo ufw allow ssh
# conventional HTTP web server - port 80
$ sudo ufw allow 80/tcp
# web server with SSL/TLS enabled - port 443
$ sudo ufw allow 443/tcp
# SMTP email enabled - port 25
$ sudo ufw allow 25/tcp

# review your selections
$ sudo ufw show added

# If everything looks good, you can enable the firewall by:
$ sudo ufw disable
$ sudo ufw enable

https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

When needing IP restriction: sudo ufw allow from 192.168.255.255.

6. Configure Timezones and Network Time Protocol

https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-12-04

It may begin to cause issues if the virtual server has to work with external machines.

  • Emails sent out from a misconfigured server may arrive 3 minutes in another.

  • users granted access only at certain times of the day, may find themselves blocked because of a time mismatch.

Servers can be synced using the NTP protocol.

  • ntp daemon: automatically, slowly shift the server clock to match.

  • To run ntpdate which automatically matches the time. ntpdate is not an action that should be taken regularly, but one time only.

# Configure Timezones
$ sudo dpkg-reconfigure tzdata
# Configure NTP Synchronization
$ sudo apt-get update
$ sudo apt-get install ntp

7. create swap

see swap section.

8. Take a Snapshot of your Current Configuration

case by case scenario.

SWAP

https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04

To increase the responsiveness of your server and guarding against out of memory errors => to add some swap space.

Swap = an area on a HD that can temporarily store data when RAM is no longer sufficient for data.

Use Swap on spinning HDs, not SSD. (SSD will be degraded by Swap.)

Check information

# shows system memory usage
$ free -m

# available space
$ df -h

Suggested Swap sapce ~= 1 ~ 2 * RAM

Create a Swap File

# allocate 4G for SWAP
$ sudo fallocate -l 4G /swapfile

# check status
$ ls -lh /swapfile # => -rw-r--r--

# SWAP should only be used by system
$ sudo chmod 600 /swapfile
$ ls -lh /swapfile # => -rw-------

# set up the swap space
$ sudo mkswap /swapfile

# enable SWAP
$ sudo swapon /swapfile

# check
$ free -m

Make the Swap File Permanent

...

Last updated

Was this helpful?