Congratulations on deploying your new server! Whether it's a powerful dedicated machine or a flexible cloud VPS from NordicVM, you now have a blank canvas. But before you install your application, it's critical to lay a secure foundation. An unconfigured server is a prime target for automated bots and malicious actors.
This guide will walk you through the essential first steps to harden your Ubuntu 22.04 server, significantly improving its security posture. We'll cover everything from user access to basic firewall configuration.
Step 1: Update Your System
The first thing you should always do after logging into a new server for the first time is to update the package lists and upgrade any outdated software. This ensures you have the latest security patches.
sudo apt update && sudo apt upgrade -yThis command first synchronizes your package index files from their sources (`apt update`) and then installs the newest versions of all packages currently installed on the system (`apt upgrade`).
Step 2: Create a New User (Don't Use Root)
Operating directly as the `root` user is risky. A single mistake can have catastrophic consequences. It's best practice to create a standard user account and grant it administrative privileges using `sudo`.
Replace `yourusername` with a name of your choice:
adduser yourusernameYou'll be prompted to create and confirm a password. Next, add the new user to the `sudo` group to grant them administrative privileges:
usermod -aG sudo yourusernameNow, you can log out of the root account and log back in with your new user account.
Step 3: Set Up SSH Key Authentication
Relying on passwords for SSH access is less secure than using SSH keys. Keys are far more difficult to brute-force. This process involves creating a key pair on your local machine and copying the public key to your server.
On your local machine:
If you don't already have an SSH key, generate one:
ssh-keygen -t rsa -b 4096Now, copy the public key to your server using `ssh-copy-id`. Replace `yourusername` and `your_server_ip`.
ssh-copy-id yourusername@your_server_ipOn your server:
Once the key is copied, you should disable password-based authentication to enforce key-only logins. Open the SSH configuration file:
sudo nano /etc/ssh/sshd_configFind the line `PasswordAuthentication yes` and change it to `no`. Also, ensure `PubkeyAuthentication yes` is set. Save the file and restart the SSH service:
sudo systemctl restart sshdImportant: Before you log out, open a new terminal window and test that you can log in with your SSH key. If you can't, you could be locked out of your server!
Step 4: Configure the Firewall with UFW
Uncomplicated Firewall (UFW) is a user-friendly frontend for managing iptables. By default, it denies all incoming connections and allows all outgoing connections.
First, allow SSH connections so you don't lock yourself out. We also'll allow standard web traffic (HTTP and HTTPS).
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
# Or use 'Apache Full' if using ApacheNow, enable the firewall:
sudo ufw enableYou can check the status at any time:
sudo ufw statusStep 5: Install Fail2ban
Fail2ban is an intrusion prevention software that monitors log files for malicious activity (like repeated failed login attempts) and temporarily bans the offending IP addresses. It's an excellent layer of defense against automated brute-force attacks.
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2banFail2ban works out of the box for SSH on Ubuntu, but you can customize it for other services by creating a local configuration file.
Conclusion: A More Secure Foundation
By following these five steps, you've moved your server from its default, vulnerable state to a much more secure baseline. This is not an exhaustive list, but it's an essential starting point for any new deployment. From here, you can confidently proceed with installing your applications, knowing you've taken the right steps to protect your infrastructure.