Ubuntu Server Setup: What to Do Your the First 10 Minutes

2024-12-125 min read

Got a fresh Ubuntu server? Great. But before you do anything fun, let’s lock it down. Here's a quick, no-nonsense guide to make your server secure and keep the bad guys out.

header image: a robot with a sign saying no root allowed

1. Create a Non-Root User and Transfer SSH Keys

Why? Root is a hacker's playground. If they get in, they own your server. Creating a non-root user adds a layer of protection.

On your machine, generate a new SSH key (if you don't have one already). You will be prompted to enter a password and the file location - which I generally leave to default:

ssh-keygen

Next, on your newly setup server, create a new user which you will use to log into:

sudo adduser your_username
sudo usermod -aG sudo your_username

Transfer your SSH key to the new user so you can log in securely:

ssh-copy-id your_username@your_server_ip

Test it to make sure it works:

ssh your_username@your_server_ip

2. Disable Root Login and Password Authentication

Why? No password = no brute-force attacks. No root login = less risk.

Before proceeding, check this video on how to use nano: https://youtu.be/DLeATFgGM-A

Edit the SSH config file:

sudo nano /etc/ssh/sshd_config

Find these lines and set them like this:

PermitRootLogin no
PasswordAuthentication no

Restart SSH to lock it in:

sudo systemctl restart ssh

3. Install and Configure Fail2Ban

Why? Fail2Ban blocks people (or bots) after too many failed login attempts. It's like a bouncer for your server.

Install it:

sudo apt update && sudo apt install fail2ban -y

Copy the default config:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the config to enable SSH protection:

sudo nano /etc/fail2ban/jail.local

Add these rules:

[DEFAULT]
bantime = 10m
findtime = 10m
maxretry = 5

[sshd]
enabled = true

Start Fail2Ban and make sure it runs on boot:

sudo systemctl enable fail2ban --now

4. Enable Automatic Security Updates

Why? Hackers love outdated software. Stay ahead by letting your server update itself.

Install the auto-updater:

sudo apt install unattended-upgrades -y

Turn it on:

sudo dpkg-reconfigure --priority=low unattended-upgrades

5. Enable the Firewall (UFW)

Why? A firewall blocks unnecessary traffic. Open only what you need.

Let SSH, HTTP, and HTTPS traffic through:

sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Turn it on and check what’s allowed:

sudo ufw enable
sudo ufw status

Wrapping Up

There you have it—your Ubuntu server is now locked down and ready to roll. This setup blocks brute-force attacks, keeps software up to date, and limits entry points. It’s fast, simple, and effective. Go ahead and start building on your server with confidence!