My Recipe for Quick Server Snack
February 1, 2023

This is my reference document for the most thrilling first few minutes on a brand-new server. You probably shouldn't follow it since it is tailored to my needs.

For some reason, from time to time, my life revolves around servers. Who am I kidding? I just love messing with server configs, and every time I find a chance to set up a new server, I can't keep my hands to myself.

This document was created as I'm in this weird zone where I'm doing it not often enough to remember (or automate) everything and not rare enough not to need this manual. As mentioned in the TL;DR section, most likely, you shouldn't follow this. There are plenty of better references on the world wiiiiiidddddeee web, like My First 10 Minutes On a Server, which served as inspiration for this post (sadly, since this document evolved over many years in my .txt file, I probably lost some of the other sources).

Heading linkRecipe 🍜

Okay, let's set up the scene: you just received login details to the new and lustrous server. All hacked IoT fridges and microwaves are already brute-forcing your server with default credentials. We need to hurry!

Heading linkSpicy up the root

SSH into your lovely server and generate a new and random password:

Terminal controls
openssl rand -base64 32

Now change the root password using the password you generated from the command above:

Terminal controls

Heading linkBring some freshness

It's nice to be up-to-date so let's do that:

Terminal controls
apt-get update apt-get upgrade

Heading linkAdd some unique flavor

Let's create a new user that we will use to interact with the server:

Terminal controls
useradd deploy mkdir /home/deploy mkdir /home/deploy/.ssh chmod 700 /home/deploy/.ssh

Copy the SSH key from your machine:

Terminal controls
pbcopy < ~/.ssh/

Associate your public key with a new user:

Terminal controls
vim /home/deploy/.ssh/authorized_keys

Update permissions:

Terminal controls
chmod 400 /home/deploy/.ssh/authorized_keys chown deploy:deploy /home/deploy -R

Update the default editor to the one you prefer (hello, Vim)

Terminal controls
update-alternatives --config editor

Update your shell to bash:

Terminal controls
chsh -s /bin/bash deploy

Create a password for your new persona (it will be used for getting sudo rights):

Terminal controls
passwd deploy

Update sudo permissions:

Terminal controls

Make sure that the following is on:

Terminal controls
root ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL

Add deploy to sudo group:

Terminal controls
usermod -aG sudo deploy

Heading linkTaste test

Test if login from your new user works by opening a new terminal window and SSH'ing into the server with your newly created user.

Verify that your user has human sudo rights:

Terminal controls
sudo -i

Heading linkLock down the flavor

Keep at least one session with root rights open in case 💩 happens.

Open SSH config:

Terminal controls
vim /etc/ssh/sshd_config

Add the following lines:

Terminal controls
PermitRootLogin no PasswordAuthentication no

If you have a VPN setup with single IP, then for extra security, you could add the following:

Terminal controls
AllowUsers deploy@(static-IP)

Restart SSH:

Terminal controls
service ssh restart

Open a new terminal window and SSH from the new user verifying that the public key login works.

Heading linkPrepare the glazing

Install UFW if it's not already preinstalled:

Terminal controls
apt-get install ufw -y

Edit config:

Terminal controls
vim /etc/default/ufw

Set IPV6 to yes:

Terminal controls

Update firewall rules:

Terminal controls
ufw allow ssh ufw default deny incoming ufw default allow outgoing ufw allow http ufw allow https ufw disable ufw enable

Heading linkAllow taste to develop without your presence

Install unattended-upgrades if it's not already preinstalled:

Terminal controls
apt install unattended-upgrades

If you feel adventurous or have a specific need, you can play around with the config located in /etc/apt/apt.conf.d/50unattended-upgrades

If you were adventurous, don't forget to reload the service:

Terminal controls
sudo systemctl reload unattended-upgrades.service

Heading linkCover the pot from sneaky hands

Install fail2ban:

Terminal controls
apt-get install fail2ban

Create a local config:

Terminal controls
cd /etc/fail2ban cp jail.conf jail.local

Update the config using your secret configuration from the old server. After that, import missing filters to filters.d.

If enabling NGINX configs: make sure that NGINX is already installed.

Enable and start the fail2ban service:

Terminal controls
sudo systemctl enable fail2ban sudo systemctl start fail2ban

Verify the status:

Terminal controls
sudo fail2ban-client status

Heading linkEnjoy your snack

At this point, your snack should be prepared and ready to eat. For a more profound taste, it is recommended to set up a web server, database, Let's Encrypt, and other friends who will make the internet a beautiful place that we can share.

© Edvinas Byla, 2023

(my lovely corner on the internet™)