Initial Server Setup with Ubuntu 20.04 LTS (Focal Fossa)

In this tutorial, we are assuming that you already have fresh installed Ubuntu Ubuntu 20.04 LTS (Focal Fossa) server. We recommend using the LTS version of Ubuntu for your servers like Ubuntu 20.04 LTS (Focal Fossa). Now after installing the Ubuntu server 20.04 server, proceed for the post-installation steps on your server. This tutorial includes steps that are useful for configuring for a server to apply basic security to the server.

Follow the below steps.

1. Upgrade Your System

First of all, log in to the Ubuntu 20.04 system via the system terminal. Now, execute the following commands to update apt cache and upgrade all packages on your system.

sudo apt update
sudo apt upgrade

2. Create User Account

We never recommend using root user to work on Ubuntu 20.04. Let’s create an account for system administration and enable sudo access for that.

sudo adduser sysadmin

Now add the newly created user to the sudo group, So that it can get all sudo privileges.

ssudo usermod -aG sudo sysadmin

3. Secure SSH Server

We recommended changing the default SSH port, it helps you to secure your system from hack attempts. To change default port edit OpenSSH configuration file /etc/ssh/sshd_config and do the following changes.

• Change Default Port – It will be good to change default ssh port as default ports are always on attackers.

   Port 2222
  

• Disable Root SSH Login – Also you would like to disable root login via ssh.

   PermitRootLogin no
  

4. Setup Key-Based SSH

This is strongly recommended to use key-based ssh login instead of password login. To configure this, create an ssh key pair on your local system.

Linux users can use the following command, and Windows users use puttygen.exe to generate ssh key pair.

ssh-keygen

Sample output:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/sysadmin/.ssh/id_rsa):
Created directory '/home/sysadmin/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sysadmin/.ssh/id_rsa
Your public key has been saved in /home/sysadmin/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Wewuzm5MjMkiTQA4zFKPpGWpOcEE7TGRlFSgYGpsWHE sysadmin@tecadmin
The key's randomart image is:
+---[RSA 3072]----+
|@O%OE            |
|@@O+     .       |
|*X.+.     o      |
|* . .    +       |
| . o . +S .      |
|  . o + o.       |
|   . . o. .      |
|       oo.       |
|       o+        |
+----[SHA256]-----+

Now copy the newly created public key .ssh/id_rsa.pub file content to the servers ~/.ssh/authorized_keys file. You can directly copy public key to the servers file or use the following command.

ssh-copy-id -i ~/.ssh/id_rsa.pub sysadmin@remote.server.net

Now login to the server with SSH, It will not prompt for the password again.

ssh sysadmin@remote.server.net

5. Configure Firewall with FirewallD

The Default Ubuntu 20.04 server edition, does not have firewalld installed on it. You can simply run the following command to install required packages from default repositories.

sudo apt install firewalld

After installation, start firewall service and enable it to auto-start on system boot.

systemctl start firewalld
systemctl enable firewalld

By default firewall allowed SSH access to remote users. You may also need to allow other services through the firewall to remote users.

You can directly provide a service name like “http” or “https” to allow. The firewalld uses /etc/services file to determine the corresponding port of the service.

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

If any of the service name is not defined in /etc/services file. You can firewall rule using the port number directly. For example to allow TCP port 8080 or 10000 (default Webmin) to your firewall.

firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-port=10000/tcp

After making any changes to your firewall, make sure to reload changes using the following command.

firewall-cmd --reload

To view, all the allowed ports and services use the following command.

firewall-cmd --permanent --list-all

Output:

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http https ssh
  ports: 8080/tcp 10000/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Conclusion

Your Ubuntu 20.04 LTS (Focal Fossa) system is ready to use. Please do not forget to share your ideas about the initial server setup, that will help others.