sajad torkamani

Setup Ubuntu server for production

11 March 2022 (Updated 22 October 2023)
On this page
Enable SSH authentication
Create non-root sudo user
Grant administrative privileges
Setup Firewall
Enable SSH access for non-root sudo user
Setup monitoring service
Bonus: Create SSH alias
Bonus: install some tools
Sources

Here are some steps you’ll want to take when setting up a fresh Ubuntu production server.

Enable SSH authentication

Copy the public key of the machine you want to use to access your server.

cat ~/.ssh/id_ed25519.pub # will probably called id_rsa.pub on Linux

Login to your server as root. Your cloud provider usually offers a way to do this. Add the public key to the root user’s authorized keys in ~/.ssh/authorized_keys.

Now, try SSHing into your server from your local machine.

ssh root@<server-ip>

Create non-root sudo user

adduser sajad

Confirm user was created with getent passwd. New user should appear at the bottom.

Grant administrative privileges

usermod -aG sudo sajad

Check the user is now in the sudo group:

getent group sudo

Setup Firewall

Use ufw or your cloud provider’s firewall feature to restrict access to services within your server. If using your cloud provider’s firewall, you’ll want to disable ufw.

A typical set of inbound rules might look like:

TypeProtocolPort RangeSources
SSHTCP22All IPv4 All IPv6
HTTPTCP80All IPv4 All IPv6
HTTPSTCP443All IPv4 All IPv6
MySQLTCP3306<ip-whitelist>

Enable SSH access for non-root sudo user

Assuming you’re still logged in as root and the new user is named sajad, copy the root user’s ~/.ssh directory to the new user’s home directory.

user=sajad rsync --archive --chown=$user:$user ~/.ssh /home/$user

Open a terminal on your local machine and try SSHing into your server as the non-root sudo user.

ssh sajad@<server-ip>

Setup monitoring service

You’ll want to monitor your server’s resource utilization so that you’re notified if things go wrong or if resources like CPU, RAM or disk space are close to full capacity. For example, Digital Ocean provides this for free.

Bonus: Create SSH alias

Instead of typing ssh <user>@<server-ip>, let’s make life easier and create an alias so that we can just type ssh prod (replace prod with whatever makes sense).

On your local machine, edit ~/.ssh/config and add the following:

 Host prod
   Hostname <server-ip>
   User <user>

Now, you should be able to SSH into your server with ssh prod.

Bonus: install some tools

sudo apt-get install htop

Sources

Tagged: Ubuntu