Purpose: To increase the security and usability of your server.
You need ip address of your server & password.
1. Create a New User to prevent using ROOT everyday
ROOT is too powerful to use everyday.
$ ssh root@your_server_ip // login as root
$ adduser UserName
$ usermod -aG sudo UserName // add user to sudo group
2. Add Public Key Authentication
set up public key authentication for your new user.
$ ssh-copy-id UserName@your_server_ip
3. Disable Password Authentication
New user can only use SSH keys to log in, not password.
sudo nano /etc/ssh/sshd_config
# in `sshd_config`
PasswordAuthentication no
# the following lines are needed, but they should already be a default.
PubkeyAuthentication yes
ChallengeResponseAuthentication no
4. Test
Test it before you logout!!!
Open new command line and try to login again.
$ ssh UserName@your_server_ip
5. Set Up a Basic Firewall
Ubuntu 16.04 servers can use the UFW firewall to make sure only connections to certain services are allowed.
UFW: Uncomplicated Firewall, is a front-end to iptables.
Firewall denies traffic to every port except for ports/services you have approved.
# see a list of allowed connections.
$ sudo ufw app list
# check status
$ sudo ufw status
# add service to ufw
$ sudo ufw allow OpenSSH
$ sudo ufw enable
# SSH - port 22
$ sudo ufw allow ssh
# conventional HTTP web server - port 80
$ sudo ufw allow 80/tcp
# web server with SSL/TLS enabled - port 443
$ sudo ufw allow 443/tcp
# SMTP email enabled - port 25
$ sudo ufw allow 25/tcp
# review your selections
$ sudo ufw show added
# If everything looks good, you can enable the firewall by:
$ sudo ufw disable
$ sudo ufw enable
When needing IP restriction: sudo ufw allow from 192.168.255.255.
6. Configure Timezones and Network Time Protocol
It may begin to cause issues if the virtual server has to work with external machines.
Emails sent out from a misconfigured server may arrive 3 minutes in another.
users granted access only at certain times of the day, may find themselves blocked because of a time mismatch.
Servers can be synced using the NTP protocol.
ntp daemon: automatically, slowly shift the server clock to match.
To run ntpdate which automatically matches the time. ntpdate is not an action that should be taken regularly, but one time only.
To increase the responsiveness of your server and guarding against out of memory errors => to add some swap space.
Swap = an area on a HD that can temporarily store data when RAM is no longer sufficient for data.
Use Swap on spinning HDs, not SSD. (SSD will be degraded by Swap.)
Check information
# shows system memory usage
$ free -m
# available space
$ df -h
Suggested Swap sapce ~= 1 ~ 2 * RAM
Create a Swap File
# allocate 4G for SWAP
$ sudo fallocate -l 4G /swapfile
# check status
$ ls -lh /swapfile # => -rw-r--r--
# SWAP should only be used by system
$ sudo chmod 600 /swapfile
$ ls -lh /swapfile # => -rw-------
# set up the swap space
$ sudo mkswap /swapfile
# enable SWAP
$ sudo swapon /swapfile
# check
$ free -m