This is my reference document for the most thrilling first few minutes on a brand-new server. You probably shouldn't follow it since it is tailored to my needs.
For some reason, from time to time, my life revolves around servers. Who am I kidding? I just love messing with server configs, and every time I find a chance to set up a new server, I can't keep my hands to myself.
This document was created as I'm in this weird zone where I'm doing it not often enough to remember (or automate) everything and not rare enough not to need this manual. As mentioned in the TL;DR section, most likely, you shouldn't follow this. There are plenty of better references on the world wiiiiiidddddeee web, like My First 10 Minutes On a Server, which served as inspiration for this post (sadly, since this document evolved over many years in my .txt file, I probably lost some of the other sources).
Okay, let's set up the scene: you just received login details to the new and lustrous server. All hacked IoT fridges and microwaves are already brute-forcing your server with default credentials. We need to hurry!
SSH into your lovely server and generate a new and random password:
openssl rand -base64 32
Now change the root password using the password you generated from the command above:
It's nice to be up-to-date so let's do that:
apt-get update apt-get upgrade
Let's create a new user that we will use to interact with the server:
useradd deploy mkdir /home/deploy mkdir /home/deploy/.ssh chmod 700 /home/deploy/.ssh
Copy the SSH key from your machine:
pbcopy < ~/.ssh/your_server_key.pub
Associate your public key with a new user:
chmod 400 /home/deploy/.ssh/authorized_keys chown deploy:deploy /home/deploy -R
Update the default editor to the one you prefer (hello, Vim)
update-alternatives --config editor
Update your shell to bash:
chsh -s /bin/bash deploy
Create a password for your new persona (it will be used for getting
Make sure that the following is on:
root ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL
Add deploy to
usermod -aG sudo deploy
Test if login from your new user works by opening a new terminal window and SSH'ing into the server with your newly created user.
Verify that your user has
Keep at least one session with
root rights open in case 💩 happens.
Open SSH config:
Add the following lines:
PermitRootLogin no PasswordAuthentication no
If you have a VPN setup with single IP, then for extra security, you could add the following:
service ssh restart
Open a new terminal window and SSH from the new user verifying that the public key login works.
Install UFW if it's not already preinstalled:
apt-get install ufw -y
Set IPV6 to yes:
Update firewall rules:
ufw allow ssh ufw default deny incoming ufw default allow outgoing ufw allow http ufw allow https ufw disable ufw enable
unattended-upgrades if it's not already preinstalled:
apt install unattended-upgrades
If you feel adventurous or have a specific need, you can play around with the config located in
If you were adventurous, don't forget to reload the service:
sudo systemctl reload unattended-upgrades.service
apt-get install fail2ban
Create a local config:
cd /etc/fail2ban cp jail.conf jail.local
Update the config using your secret configuration from the old server. After that, import missing filters to
If enabling NGINX configs: make sure that NGINX is already installed.
Enable and start the fail2ban service:
sudo systemctl enable fail2ban sudo systemctl start fail2ban
Verify the status:
sudo fail2ban-client status
At this point, your snack should be prepared and ready to eat. For a more profound taste, it is recommended to set up a web server, database, Let's Encrypt, and other friends who will make the internet a beautiful place that we can share.