Setting Up a Basic Linux Server

June 15, 2014

Linux

In this guide, I’ll show you how to set up and configure a basic Linux server in the DigitalOcean cloud running Debian 7 Wheezy.

Uploading your SSH key

After signing up with DigitalOcean, the first thing you’ll want to do is uploading your public SSH key. This makes it possible to log into your newly created server without typing out a password.

In the DigitalOcean settings, click on the menu item labeled Security. Click the Add SSH Key button and enter a name for your key. Paste the contents of your public key into the SSH Key Content field, and then click Add SSH Key.

If you are running X11 and have xclip installed, you can copy the contents of your public key to the clipboard by running the following command:

xclip < ~/.ssh/id_rsa.pub

If you’re running macOS, you can use the pbcopy utility to copy your key to the clipboard:

pbcopy < ~/.ssh/id_rsa.pub

Creating your virtual server

DigitalOcean call their virtual servers Droplets.

In the DigitalOcean management console click the main menu item labeled Droplets and then click the Create Droplet button.

Select the Debian 7.0 x64 image.

Select the desired size and region for your Droplet.

Select your SSH key.

Enter a hostname for your server. This hostname can be pretty much anything, but if you’re going to set up DNS records for this server’s IP address you should enter the desired fully qualified domain name (e.g., yourserver.example.com) as the hostname. This will automatically set up a PTR/rDNS record for the server’s IP address.

Click the Create button.

When your Droplet has been created, you will be taken back to the Droplets page. Take note of your server’s IP address in the IP Address column.

Logging in

Now that you have created your virtual server, it’s time to log into it using SSH:

DROPLET_IP=203.0.113.0    # Replace this with your droplet’s IP address
ssh root@$DROPLET_IP

Since you uploaded and selected your SSH key when creating your Droplet, you won’t have to provide a password when logging in.

The first thing you should do after logging in, is changing the root user’s password:

passwd

To ensure that you are up to date with the latest security upgrades, update the package index and then upgrade the system:

apt-get update
apt-get upgrade

Enabling automatic security upgrades

If you don’t want to regularly log into your server to apply security upgrades, you can activate automatic upgrades. To do this, install the unattended-upgrades package:

apt-get install unattended-upgrades

Edit the configuration file.

vi /etc/apt/apt.conf.d/10periodic

Update it to look like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

By default, this will only download and install packages labeled as security upgrades. If you want more packages to be downloaded and installed, edit /etc/apt/apt.conf.d/50unattended-upgrades to your preference.

Installing Fail2Ban

Fail2ban is a daemon that monitors log files for failed login attempts and other suspicious activity, and bans the IP addresses that show malicious signs. Install it using apt-get. The default configuration should be sufficient.

apt-get install fail2ban

Configuring the firewall

Linux includes a firewall that can be configured using the iptables program. Using the iptables program can be cumbersome, so instead, we’ll use a front-end called ufw (The Uncomplicated Firewall). Install ufw using apt-get:

apt-get install ufw

Configure the firewall to allow connections on port 22, i.e., SSH connections:

ufw allow 22

Enable the firewall. This will tell you that the command may disrupt existing SSH connections and will ask if you want to proceed. Answer y(es).

ufw enable

Setting up a user

Logging in as root for everyday tasks is considered bad practice since it makes dangerous mistakes easy to make. Instead, you should log in as a normal user and use the sudo command whenever you need root privileges. Create your user and its home directory using the useradd command:

NEW_USER=alice    # Replace this with your desired username
useradd -s /bin/bash -m $NEW_USER

To be able to log in as the new user using your SSH key, copy the authorized_keys file from the root user’s .ssh directory to one in your new user’s home directory.

mkdir -m 700 /home/$NEW_USER/.ssh
cp ~/.ssh/authorized_keys /home/$NEW_USER/.ssh/authorized_keys
chown -R $NEW_USER:$NEW_USER /home/$NEW_USER

Set a password for your user:

passwd $NEW_USER

Grant sudo access to your user:

VISUAL=vi visudo

Remove all existing user/group grant lines and add the following at the end, replacing NEW_USER with the new user’s username:

root ALL=(ALL) ALL
NEW_USER ALL=(ALL) ALL

Configuring `sshd`

Configure sshd to only allow logins from your newly created user using an authorized SSH public key:

vi /etc/ssh/sshd_config

Find the following line:

PermitRootLogin yes

Change it to say no:

PermitRootLogin no

Uncomment this line:

#PasswordAuthentication yes

Also, change it to say no:

PasswordAuthentication no

At the bottom of the file, add the following—again, replacing NEW_USER with the new user’s username:

AllowUsers NEW_USER

Restart sshd for the changes to take effect:

service ssh restart

Open another terminal window on your local machine and ensure that you can log into your server using your new user before logging out as root:

ssh NEW_USER@DROPLET_IP

You now have a basic Linux server set up and can proceed with setting up other services.