With the basic server setup in the previous article, and the secure SSH key generated, it’s finally time in this self-hosting process to get into a bit more meat. Diving right into the initial setup of this Ubuntu 18.04 server, we need to ensure we’re not regularly using the master root account, assign our SSH keys correctly, enable a firewall, and then complete security updates.
Connecting to Ubuntu VPS w/SSH
Given we already loaded the Public SSH key to DigitalOcean when we created the server (VPS Host), our first step is to use Putty, or any other SSH client, to connect to the server. To complete this, you only need:
- IP Address from DigitalOcean Control Panel
- Username – root
- Password – We’re using SSH keys, so if you set one, passphrase from SSH key.
In Putty, we input the IP Address and select SSH for connection type, and then on the lower-left, selecting the SSH advanced setting:
In the SSH Settings, we’ll select Auth, and browse for the private .ppk file for our SSH key pair. Then from the Session screen, provide a name under Saved Sessions and select Save before connecting, so we remember these settings easily!
In Putty, simply select the saved session and Open to bring up the server console.
You’ll be presented with a basic Console with Logon As:, type root then Enter.
If you (please don’t say you didn’t) put a passphrase on your SSH key pair, you will be prompted for the passphrase next, which will allow it to authenticate your private key with the server public key:
Once that is successful, you’ll get a quick summary of the server operations and status before getting a logged in terminal prompt:
As you can see in my sample, given it’s a new server, the workload is very minimal, and the system has some package updates that need to be installed, followed by a quick reboot, we’ll get to those soon!
Creating Admin User w/SSH
The first best practice is to create an administrative account to use, as we should always avoid using the root account unless explicitly necessary. This is a simple precaution as the root account can allow even the experienced to quickly do a lot of system damage with the wrong commands. As such, we’ll create a new user for our daily operations and maintenance with:
# adduser timtheenchanter
You will be prompted to create a password for this account. When we’re complete, we are going to be authorizing this user to use our SSH keys for the initial login, however, this password will be used in the terminal for sudo admin rights commands. As such, make sure it is a proper secure password, and store it in a secure encrypted location (like all your passwords!)
Next up, we’re going to grant Administrative Rights to the new account. This will allow the account to run administrative commands be preceding them with sudo, but you will be prompted for the password, which is also a great time to review the command for errors before proceeding. To grant these admin rights:
usermod -aG sudo timtheenchanter
Next, we want to grant this new administrative user the same capability to only login with the public/private SSH key-pair that we setup with the root account. Of course, if your creating this account for someone else, then you would edit the file we’re going to copy below and replace their Public key in place of yours.
To move your current SSH Public key to this users directory, thus allowing them to use it for logon and disable password logon:
rsync --archive --chown=
At this point, if you close your terminal console (Putty session), and re-connect with the same session (which uses the SSH keys), you can login with the new account created, and the SSH Key passphrase. From this point forward, you should not be using the root account without good reason, you should be using sudo in front of commands that need admin rights.
Firewall Setup on Ubuntu w/UFW
The next step in getting the server ready is correctly configuring a firewall for the system, to control the incoming and outgoing traffic on the system. DigitalOcean offers its own firewall service from the control panel, which would be very useful in a larger deployment, and I’ll review and test it at a later date. For this setup staying contained within the droplet, the default firewall installed on Ubuntu is UFW, and will do everything we need to secure the server.
The process of setting up the Firewall involves setting core default rules, and then allowing or denying exceptions from that default. To ensure we’re running the default rules of allowing all outgoing communication and blocking all incoming:
# sudo ufw default deny incoming
# sudo ufw default allow outgoing
With the default rules prepared, we want to allow SSH, given that is our primary means for communicating with the VPS Server. Rules in UFW are simple allow/deny followed by port number, as well as options for specific IP addresses or ranges and interfaces for more advanced control. To allow SSH incoming:
# sudo ufw allow 22
A range of common ports and services also have the name assigned, in this case we could also have done:
# sudo ufw allow ssh
As you setup and install other applications and services, you will need to review what ports they need to communicate on, and create or adjust allow and deny rules accordingly. For more details on configuring rules, this article at DigitalOcean is a great start. With the basic rules set and our active SSH connect allowed, it’s a simple command to officially enable the firewall:
sudo ufw enable
The status of the UFW Firewall can be verified at any time with:
# sudo ufw status verbose
Keeping Ubuntu Updated
The final step in the initial server setup as per the prompts at first logon, are to check for and apply updates to the system. As with any system, but more so if your hosting services for others, updates are critical for both stability and security. After we’ve completed this the first time, you should be setting a regular schedule (wether weekly, bi-weekly, or monthly) to check for and apply updates! Don’t let other work distract you from basic security maintenance.
To check for and apply updates in Ubuntu:
# sudo apt-get update && sudo apt-get upgrade
This is two commands chained together, the first (update) simply synchronizes databases and checked for updates. The second command executes the process to download and install all newly discovered updates.
When the updates are complete, the nature of Linux and it’s packages are that you’ll rarely require a mandatory update to complete the process and be secure, making it easier to maintain up-time for your system and it’s users. In our case, when we first logged on, it stated that the updates were pending and a reboot was needed. To reboot from the SSH session:
# sudo shutdown -r
This will schedule the reboot for one minute later, at which point you’ll clearly lose your SSH connection and will need to re-connect afterwards. The shutdown command has a variety of options to delay the reboot, post a warning message to users, etc.
Once the server has rebooted, which should be a very fast process, as is common with virtual machines, validate you can still connect via SSH and all looks well on the welcome screen. From this point, the system is ready to start exploring what applications you need! In my case I have a list of services I’ll be working through configuring.
Even though it’s one of the larger services, first up will be WordPress hosting this site, as that will allow me to re-point my TechZerker domain over to DigitialOcean, and any subsequent services I setup will be able to use the domain name with an application specific sub-domain.
While I’m getting started on my WordPress install and the associated articles over the next while, why not start your own project hosting on DigitalOcean? (Referral link)