This is my reference document for the most thrilling first few minutes on a brand-new server. You probably shouldn't follow it since it is tailored to my needs.
For some reason, from time to time, my life revolves around servers. Who am I kidding? I just love messing with server configs, and every time I find a chance to set up a new server, I can't keep my hands to myself.
This document was created as I'm in this weird zone where I'm doing it not often enough to remember (or automate) everything and not rare enough not to need this manual. As mentioned in the TL;DR section, most likely, you shouldn't follow this. There are plenty of better references on the world wiiiiiidddddeee web, like My First 10 Minutes On a Server, which served as inspiration for this post (sadly, since this document evolved over many years in my .txt file, I probably lost some of the other sources).
Recipe 🍜
Okay, let's set up the scene: you just received login details to the new and lustrous server. All hacked IoT fridges and microwaves are already brute-forcing your server with default credentials. We need to hurry!
Spicy up the root
SSH into your lovely server and generate a new and random password:
openssl rand -base64 32
Now change the root password using the password you generated from the command above:
passwd
Bring some freshness
It's nice to be up-to-date so let's do that:
apt-get update apt-get upgrade
Add some unique flavor
Let's create a new user that we will use to interact with the server:
useradd deploy mkdir /home/deploy mkdir /home/deploy/.ssh chmod 700 /home/deploy/.ssh
Copy the SSH key from your machine:
pbcopy < ~/.ssh/your_server_key.pub
Associate your public key with a new user:
vim /home/deploy/.ssh/authorized_keys
Update permissions:
chmod 400 /home/deploy/.ssh/authorized_keys chown deploy:deploy /home/deploy -R
Update the default editor to the one you prefer (hello, Vim)
update-alternatives --config editor
Update your shell to bash:
chsh -s /bin/bash deploy
Create a password for your new persona (it will be used for getting sudo rights):
passwd deploy
Update sudo permissions:
visudo
Make sure that the following is on:
root ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL
Add deploy to sudo group:
usermod -aG sudo deploy
Taste test
Test if login from your new user works by opening a new terminal window and SSH'ing into the server with your newly created user.
Verify that your user has human sudo rights:
sudo -i
Lock down the flavor
Keep at least one session with root rights open in case 💩 happens.
Open SSH config:
vim /etc/ssh/sshd_config
Add the following lines:
PermitRootLogin no PasswordAuthentication no
If you have a VPN setup with single IP, then for extra security, you could add the following:
AllowUsers deploy@(static-IP)
Restart SSH:
service ssh restart
Open a new terminal window and SSH from the new user verifying that the public key login works.
Prepare the glazing
Install UFW if it's not already preinstalled:
apt-get install ufw -y
Edit config:
vim /etc/default/ufw
Set IPV6 to yes:
IPV6=yes
Update firewall rules:
ufw allow ssh ufw default deny incoming ufw default allow outgoing ufw allow http ufw allow https ufw disable ufw enable
Allow taste to develop without your presence
Install unattended-upgrades if it's not already preinstalled:
apt install unattended-upgrades
If you feel adventurous or have a specific need, you can play around with the config located in /etc/apt/apt.conf.d/50unattended-upgrades
If you were adventurous, don't forget to reload the service:
sudo systemctl reload unattended-upgrades.service
Cover the pot from sneaky hands
Install fail2ban:
apt-get install fail2ban
Create a local config:
cd /etc/fail2ban cp jail.conf jail.local
Update the config using your secret configuration from the old server. After that, import missing filters to filters.d.
If enabling NGINX configs: make sure that NGINX is already installed.
Enable and start the fail2ban service:
sudo systemctl enable fail2ban sudo systemctl start fail2ban
Verify the status:
sudo fail2ban-client status
Enjoy your snack
At this point, your snack should be prepared and ready to eat. For a more profound taste, it is recommended to set up a web server, database, Let's Encrypt, and other friends who will make the internet a beautiful place that we can share.