# Digital Ocean - steps ## Initial Server Setup with Ubuntu 16.04 **Purpose**: To increase the **security** and **usability** of your server. You need ip address of your server & password. ### 1. Create a New User to prevent using ROOT everyday ROOT is too powerful to use everyday. ``` $ ssh root@your_server_ip // login as root $ adduser UserName $ usermod -aG sudo UserName // add user to sudo group ``` ### 2. Add Public Key Authentication set up public key authentication for your new user. ``` $ ssh-copy-id UserName@your_server_ip ``` ### 3. Disable Password Authentication New user can **only** use SSH keys to log in, **not** password. ``` sudo nano /etc/ssh/sshd_config ``` ``` # in `sshd_config` PasswordAuthentication no # the following lines are needed, but they should already be a default. PubkeyAuthentication yes ChallengeResponseAuthentication no ``` ### 4. Test **Test it before you logout!!!** Open new command line and try to login again. ``` $ ssh UserName@your_server_ip ``` ### 5. Set Up a Basic Firewall Ubuntu 16.04 servers can use the **UFW firewall** to make sure **only connections to certain services are allowed**. **UFW**: Uncomplicated Firewall, is a front-end to iptables. Firewall **denies traffic to every port** except for ports/services you have approved. ``` # see a list of allowed connections. $ sudo ufw app list # check status $ sudo ufw status # add service to ufw $ sudo ufw allow OpenSSH $ sudo ufw enable ``` ``` # SSH - port 22 $ sudo ufw allow ssh # conventional HTTP web server - port 80 $ sudo ufw allow 80/tcp # web server with SSL/TLS enabled - port 443 $ sudo ufw allow 443/tcp # SMTP email enabled - port 25 $ sudo ufw allow 25/tcp # review your selections $ sudo ufw show added # If everything looks good, you can enable the firewall by: $ sudo ufw disable $ sudo ufw enable ``` When needing IP restriction: `sudo ufw allow from 192.168.255.255`. ### 6. Configure Timezones and Network Time Protocol It may begin to cause issues if the virtual server has to work with external machines. * Emails sent out from a misconfigured server may arrive 3 minutes in another. * users granted access only at certain times of the day, may find themselves blocked because of a time mismatch. Servers can be synced using the NTP protocol. * ntp daemon: automatically, slowly shift the server clock to match. * To run `ntpdate` which automatically matches the time. `ntpdate` is not an action that should be taken regularly, but one time only. ``` # Configure Timezones $ sudo dpkg-reconfigure tzdata ``` ``` # Configure NTP Synchronization $ sudo apt-get update $ sudo apt-get install ntp ``` ### 7. create swap see swap section. ### 8. Take a Snapshot of your Current Configuration case by case scenario. ## SWAP To increase the **responsiveness** of your server and guarding **against out of memory** errors => to add some swap space. Swap = an area on a **HD** that can **temporarily** store data when RAM is no longer sufficient for data. Use Swap on spinning HDs, not SSD. (SSD will be degraded by Swap.) ### Check information ``` # shows system memory usage $ free -m # available space $ df -h ``` Suggested Swap sapce \~= `1 ~ 2 * RAM` ### Create a Swap File ``` # allocate 4G for SWAP $ sudo fallocate -l 4G /swapfile # check status $ ls -lh /swapfile # => -rw-r--r-- # SWAP should only be used by system $ sudo chmod 600 /swapfile $ ls -lh /swapfile # => -rw------- # set up the swap space $ sudo mkswap /swapfile # enable SWAP $ sudo swapon /swapfile # check $ free -m ``` ### Make the Swap File Permanent ...