Setup Ubuntu server for production
Here are some steps you’ll want to take when setting up a fresh Ubuntu production server.
Enable SSH authentication
Copy the public key of the machine you want to use to access your server.
cat ~/.ssh/id_ed25519.pub # will probably called id_rsa.pub on Linux
Login to your server as root. Your cloud provider usually offers a way to do this. Add the public key to the root user’s authorized keys in ~/.ssh/authorized_keys
.
Now, try SSHing into your server from your local machine.
ssh root@<server-ip>
Create non-root sudo user
adduser sajad
Confirm user was created with getent passwd
. New user should appear at the bottom.
Grant administrative privileges
usermod -aG sudo sajad
Check the user is now in the sudo
group:
getent group sudo
Setup Firewall
Use ufw
or your cloud provider’s firewall feature to restrict access to services within your server. If using your cloud provider’s firewall, you’ll want to disable ufw
.
A typical set of inbound rules might look like:
Type | Protocol | Port Range | Sources |
---|---|---|---|
SSH | TCP | 22 | All IPv4 All IPv6 |
HTTP | TCP | 80 | All IPv4 All IPv6 |
HTTPS | TCP | 443 | All IPv4 All IPv6 |
MySQL | TCP | 3306 | <ip-whitelist> |
Enable SSH access for non-root sudo user
Assuming you’re still logged in as root and the new user is named sajad
, copy the root user’s ~/.ssh
directory to the new user’s home directory.
user=sajad rsync --archive --chown=$user:$user ~/.ssh /home/$user
Open a terminal on your local machine and try SSHing into your server as the non-root sudo user.
ssh sajad@<server-ip>
Setup monitoring service
You’ll want to monitor your server’s resource utilization so that you’re notified if things go wrong or if resources like CPU, RAM or disk space are close to full capacity. For example, Digital Ocean provides this for free.
Bonus: Create SSH alias
Instead of typing ssh <user>@<server-ip>
, let’s make life easier and create an alias so that we can just type ssh prod
(replace prod
with whatever makes sense).
On your local machine, edit ~/.ssh/config
and add the following:
Host prod
Hostname <server-ip>
User <user>
Now, you should be able to SSH into your server with ssh prod
.
Bonus: install some tools
sudo apt-get install htop