Setup Ubuntu server for production
Here are some steps you’ll want to take when setting up a fresh Ubuntu production server.
Enable SSH authentication
Copy the public key of the machine you want to use to access your server.
cat ~/.ssh/id_ed25519.pub # will probably called id_rsa.pub on LinuxLogin to your server as root. Your cloud provider usually offers a way to do this. Add the public key to the root user’s authorized keys in ~/.ssh/authorized_keys.
Now, try SSHing into your server from your local machine.
ssh root@<server-ip>Create non-root sudo user
adduser sajad
Confirm user was created with getent passwd. New user should appear at the bottom.
Grant administrative privileges
usermod -aG sudo sajadCheck the user is now in the sudo group:
getent group sudoSetup Firewall
Use ufw or your cloud provider’s firewall feature to restrict access to services within your server. If using your cloud provider’s firewall, you’ll want to disable ufw.
A typical set of inbound rules might look like:
| Type | Protocol | Port Range | Sources |
|---|---|---|---|
| SSH | TCP | 22 | All IPv4 All IPv6 |
| HTTP | TCP | 80 | All IPv4 All IPv6 |
| HTTPS | TCP | 443 | All IPv4 All IPv6 |
| MySQL | TCP | 3306 | <ip-whitelist> |
Enable SSH access for non-root sudo user
Assuming you’re still logged in as root and the new user is named sajad, copy the root user’s ~/.ssh directory to the new user’s home directory.
rsync -avz /root/.ssh/ /home/sajad/.ssh/ && chown -R sajad:sajad /home/sajad/.sshThis command uses rsync to copy the contents of the root user’s .ssh directory to the target user’s .ssh directory.
-a: Archive mode, which preserves permissions, times, symbolic links, and other data.-v: Verbose mode, which provides detailed output.-z: Compress file data during the transfer.
Open a terminal on your local machine and try SSHing into your server as the non-root sudo user.
ssh sajad@<server-ip>
Setup monitoring service
You’ll want to monitor your server’s resource utilization so that you’re notified if things go wrong or if resources like CPU, RAM or disk space are close to full capacity. For example, Digital Ocean provides this for free.
Create admin & www-data group
If you don’t already have an admin group, create it:
sudo addgroup adminAdd user to group:
sudo usermod -aG admin <user>Verify user was added to group:
getent group <group>Add user to www-data group (commonly used with Nginx):
sudo usermod -aG www-data <user>Logout of SSH session and log back in so the new groups are picked up.
Bonus: Create SSH alias
Instead of typing ssh <user>@<server-ip>, let’s make life easier and create an alias so that we can just type ssh prod (replace prod with whatever makes sense).
On your local machine, edit ~/.ssh/config and add the following:
Host prod
Hostname <server-ip>
User <user>
Now, you should be able to SSH into your server with ssh prod.
Bonus: install some tools
sudo apt-get install htopSources
Thanks for your comment 🙏. Once it's approved, it will appear here.
Leave a comment