March 7, 2011

Basic Ubuntu 10.04 Server Setup Guide

Filed under: Uncategorized — Tags: , — yasi8h @ 2:56 am

There are some basic steps i do when setting up a fresh server (ahh sounds so good! :D). Going to list them out so i can follow them and have no problems forgetting anything in the future.

  • Add a user : adduser foobar
    • answer all the question asked
  • Add your public key to the authorized_keys so you can ssh in without password authentication (with public key authentication).
    • login as the new user
    • mkdir .ssh
    • nano .ssh/authorized_keys
    • put your public key in and save the file (ctrl + o, ctrl + x)
  • Add a entry for the new server in your .ssh/config for easy access to it from your local
    • nano .ssh/config
    • add a entry like this (please ignore the bullet points)
      • Host whatever_fancy_name #you will use this on your local ie: ssh whatever_fancy_name
      • User=foobar #user name on the server
      • Hostname= #your server ip
    • save the file (ctrl + o, ctrl + x)
  • Setup sudo without been asked for the password for the new user
    • visudo
    • add this line to the bottom: foobar ALL=(ALL) NOPASSWD:ALL #foobar is the username, while nopassword tells sudo not to ask the user for his password when using sudo
  • Disable remote root logins for sshd
    • sudo nano /etc/ssh/sshd_config
    • find the line ‘PermitRootLogin yes’ and replace it with ‘PermitRootLogin no’
    • save the file (ctrl + o, ctrl + x)
    • restart sshd
      • sudo /etc/init.d/ssh restart
  • Some default packages you might want to setup
    • htop (sudo aptitude install htop)




  1. Nice list.

    I usually tweak firewall (netfilter) rules so that only the essential inbound traffic is allowed. I also stop all non-essential services.

    To slow down brute force SSH attempts I have the following:
    -A INPUT -m state –state NEW -m recent -p tcp –dport 22 –set
    -A INPUT -m state –state NEW -m recent -p tcp –dport 22 –update –seconds 60 –hitcount 4 -j DROP
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

    and then I end the table with the rule (which stops everything which wasn’t explicitly allowed beforehand):
    -A INPUT -j REJECT –reject-with icmp-host-prohibited

    Also consider using ‘denyhosts’ (same package name). It’ll automatically block (using tcpwrappers iirc) hosts who’s taking part in brute forcing SSH. Be sure to read the doc first. 🙂

    Port Knocking is also a nice trick which I haven’t used yet in any production system yet. But it looks great.

    Comment by Gaveen — March 7, 2011 @ 9:09 am

    • Hey Gaveen! thanks a lot for the grate input. Should put these points in to my manual. They are some basic security stuff that i SHOULD be doing currently.

      better be safe than sorry 😉

      Comment by yasi8h — March 7, 2011 @ 10:02 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: