In one of my previous posts I covered the what I consider to be the initial steps one should take when setting up the Debian (or any other Linux) server either self hosted on bare-metal or VPS in the cloud.
Things have changed a bit since than and I thought it would be a good idea to share my thoughts in form of a guide and expand it a bit.
Setup considerations
When you set up your server in the cloud, regardless of the provider of your choice you usually have an option to either upload your ssh key for authorization or set a password for root user. In case of the latter the password can be sometimes generated by a cloud provider and send to you by e-mail.
Although it might seem less secure at first glance, I recommend setting up login for root user instead of ssh keys. We will only require the password on first login as we will than create another user with sudo privileges and disable root user anyway. We can also configure ssh keys authorization later if needed.
I do not think it is a good practice to have root user enabled on Linux server. I see a lot of guides and videos nowadays where people use highly privileged root user even for some casual staff like coding and even pushing their code to github. This is really not a good way to do things securely according to the least privilege principle.
First login
When you login to your box for a first time with root user, the very first thing you want to do is create a new, unprivileged user, that we will add to sudo group in order to execute administrative commands.
Create new user and at it to sudo group
sudo adduser evgeni
Make sure to use a good password. If you use a password manager like I do, it doesn’t cost you anything to use very long and complex random passwords with 64 characters or more.
sudo adduser evgeni sudo
This will add the new user to the sudo group. After this, you will not need the root user anymore.
Login with normal user and lock root access
Logout and login back using your newly created user.
Run a command to lock user access.
sudo usermod --lock root
From this point on, we will be using a normal user and run root commands using the sudo prefix.
Install a firewall and open a hole for ssh
f you are running a server that is accessible from the internet, like a virtual machine on Digital Ocean affiliate link or Linode, for example, at this point before anything else, it is a good idea to install a firewall. You have a few choices, but the easiest one is to go with ufw. Let’s install it first:
sudo apt-get install ufw
Firewall configuration
Configuring the ufw firewall is really easy. If you are using ssh to access your virtual machine, you want to open a hole for the ssh port like this:
sudo ufw allow 22/tcp
Now the firewall can be enabled:
sudo ufw enable
Check ssh configuration and disable root remote access
Next it is a good idea to check the sshd_config file and disable root login there as well.
Pro tip: instead of sudo nano use a command sudoedit to edit the config files. In order to use an editor of your choice set the environmental variable: export EDITOR=micro. I like to use micro for editing, but feel free to change it to any editor of your choice.
So in case you are using Debian:
sudoedit /etc/ssh/sshd_config
Make sure that the root login is disabled:
PermitRootLogin no
Update the system
sudo apt-get update && sudo apt-get upgrade -y
Login with ssh keys
This step is optional, but using ssh keys will make it much easier to manage yours boxes. Especially if you have a lot of servers.
There is an utility in Linux called ssh-copy-id which will copy the ssh key to the server hassle-free.
ssh-copy-id user@server.com
It will prompt for your password and after you enter it, next times you can login using ssh user@server.com without entering the password.
However, for executing sudo commands you will need your password, so keep your Password Manager open :)
Enable unattended upgrades
I highly recommend to enable unattended upgrades. I covered it in one of my previous posts.
Final words
Now your server is set and ready to use.
Make sure to open the holes in the ufw firewall for all the services you want to be accessible from the outside.