sajad torkamani

Here are some steps you'll want to take when setting up a fresh Ubuntu production server.

Enable SSH authentication

Copy the public key of the machine you want to use to access your server.

cat ~/.ssh/id_ed25519.pub # will probably called id_rsa.pub on Linux

Login to your server as root. Your cloud provider usually offers a way to do this. Add the public key to the root user's authorized keys in ~/.ssh/authorized_keys.

Now, try SSHing into your server from your local machine.

ssh root@<server-ip>

Create non-root sudo user

adduser sajad

Confirm user was created with getent passwd. New user should appear at the bottom.

Grant administrative privileges

usermod -aG sudo sajad

Setup Firewall

Use ufw or your cloud provider's firewall feature to restrict access to services within your server. If using your cloud provider's firewall, you'll want to disable ufw.

A typical set of inbound rules might look like:

TypeProtocolPort RangeSources
SSHTCP22All IPv4 All IPv6
HTTPTCP80All IPv4 All IPv6
HTTPSTCP443All IPv4 All IPv6
MySQLTCP3306<ip-whitelist>

Enable SSH access for non-root sudo user

Assuming you're still logged in as root and the new user is named sajad, copy the root user's ~/.ssh directory to the new user's home directory.

user=sajad rsync --archive --chown=$user:$user ~/.ssh /home/$user

Open a terminal on your local machine and try SSHing into your server as the non-root sudo user.

ssh sajad@<server-ip>

Bonus: Create SSH alias

Instead of typing ssh <user>@<server-ip>, let's make life easier and create an alias so that we can just type ssh prod (replace prod with whatever makes sense).

On your local machine, edit ~/.ssh/config and add the following:

 Host prod
   Hostname <server-ip>
   User <user>

Now, you should be able to SSH into your server with ssh prod.

Sources

Tagged: Ubuntu