Dcapedcode

Setting Up a Secure, Production-Ready Server (Ubuntu) - Part 1

This guide shows you how I set up my production-ready server. While cloud providers offer many free tools, I prefer the control and cost savings of self-hosting. You're free to use whatever tools you prefer. My goal is to maintain full control and minimize costs. While free hosting options exist for smaller projects, scaling on cloud providers can eventually become expensive.

This will be a bae setup that i do for all my servers.

Step 1 - Securing the server

We are going to generate an SSH key, create a new user, disable root login, and secure SSH

Generating SSH key

If you don't have an SSH key, you will have to generate one. I have a tutorial here that can help with that: Generate SSH key (Linux).

Setting Up a New User

Time to set up a new user so we don't have to use the root user when logging into the server.

We will be connecting to the server by using SSH. Run this on the machine that you will be using to SSH into the new server:

ssh root@IP_OF_SERVER

You will be prompted to input the root password for the server.

When we are in, it's time to set up a new user. Make sure to update the username to be what you desire.

# Enter a strong password when prompted
adduser USERNAME

Add the user to the sudo group:

usermod -aG sudo USERNAME

Copy SSH key to server

Now we have a new user, and we can copy over the SSH key so we can disable password-based logins. I have a tutorial that shows this in more detail. You can find it here: Copy SSH key to server (Linux).

Securing SSH

To secure SSH access to your server, we need to perform several configurations. All these settings will be happening in the file /etc/ssh/sshd_config

1. Disable root login

This prevents the root user from logging in directly, which is a common target for attackers.

PermitRootLogin no
/etc/ssh/sshd_config

2. Disable passworded logins

Only allow logins using SSH keys, which are more secure.

PasswordAuthentication no
/etc/ssh/sshd_config

3. Enable pub key authentication

Ensure this setting is enabled.

PubkeyAuthentication yes
/etc/ssh/sshd_config

4. Change default port

Changing the SSH port reduces the risk of automated attacks.

Port 1000
/etc/ssh/sshd_config

Note: You will need to specify the port when connecting via SSH using the -p flag.

5. Automatic session timeout

Set up automatic disconnection after inactivity.

ClientAliveInterval 300
ClientAliveCountMax 1
/etc/ssh/sshd_config

6. Enable User for SSH

Allow only specific users to connect via SSH.

AllowUsers USERNAME
/etc/ssh/sshd_config

7. Automatic disconnects in case of incorrect login

Disconnect after a set number of failed login attempts.

MaxAuthRetries 2
/etc/ssh/sshd_config

8. Apply the new settings

To active the settings we will need to restart the SSH service, before you do this we can check for configuration errors:

sshd -t

If we don't have any errors we can go ahead and restart the sshd service.

systemctl restart sshd

Step 2 - Installing packages and docker

Now it's time to install packages and Docker.

1 . Ensure that we have latest upgrades

sudo apt-get update && sudo apt-get upgrade

2. Lets install some basic packages

  • apt-transport-https: This package enables the use of HTTPS for accessing software repositories.
  • ca-certificates: This package contains a collection of trusted Certificate Authority (CA) certificates.
  • *curl: This is a command-line tool for transferring data using various network protocols, including HTTP and HTTPS.
  • gnupg-agent: This is a daemon (a background process) that manages your GPG (GNU Privacy Guard) key.
  • software-properties-common: This package provides tools for managing software repositories, particularly those added via PPAs (Personal Package Archives).
sudo apt-get install -y apt-transport-https  \
ca-certificates \
curl \
gnupg-agent \
software-properties-common

3. Create keyrings directory

sudo install -m 0755 -d /etc/apt/keyrings

4. Install Docker

First, let's add the official Docker repository:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

Now its time to install docker!

sudo apt-get -y install docker-ce \
docker-ce-cli \
containerd.io \
docker-buildx-plugin \
docker-compose-plugin

Let's add the user to the docker group:

sudo usermod -aG docker USERNAME

And let's start the Docker service:

sudo systemctl enable docker
sudo systemctl start docker

Step 3 - Finale!

Lets end this guide by rebooting our machine

sudo reboot

Bonus! - Cloud-init Config

We don't have to do this for all of the servers that we want to create. We can also create something that is called a Cloud-init config, and we can use this config to automate all these steps when creating the server! I'm not going to go into detail for everything. I'm just going to leave this here for you to use, but make sure to update the values that need updating.

users:
 - name: SET_USERNAME_HERE # Update with correct username
    ssh_authorized_keys:
      - "SET_SSH_PUB_KEY_HERE" # Update with correct SSH public key
    sudo: ALL=(ALL:ALL) ALL
    groups: sudo
    shell: /bin/bash
    
chpasswd:
  expire: true
  users:
    - name: SET_USERNAME_HERE # Update with correct username
      password: SET_SECURE_PASSWORD_HERE # Update with correct password
      type: text


runcmd:
  - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
  - echo "PermitRootLogin no" >> /etc/ssh/sshd_config
  - sed -i '/PubkeyAuthentication/d' /etc/ssh/sshd_config
  - echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
  - sed -i '/PasswordAuthentication/d' /etc/ssh/sshd_config
  - echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
  - sed -i '/ClientAliveInterval/d' /etc/ssh/sshd_config
  - echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
  - sed -i '/ClientAliveCountMax/d' /etc/ssh/sshd_config
  - echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config
  - if grep -q '^AllowUsers' /etc/ssh/sshd_config; then sed -i 's/^AllowUsers.*/AllowUsers SET_USERNAME_HERE/' /etc/ssh/sshd_config; else echo "AllowUsers SET_USERNAME_HERE" >> /etc/ssh/sshd_config; fi # Update with correct username
  - sed -i '/MaxAuthTries/d' /etc/ssh/sshd_config
  - echo "MaxAuthTries 2" >> /etc/ssh/sshd_config
  - sed -i '/Port/d' /etc/ssh/sshd_config
  - echo "Port 1000" >> /etc/ssh/sshd_config
  - systemctl restart sshd
  - echo "\$nrconf{kernelhints} = -1;" > /etc/needrestart/conf.d/99disable-prompt.conf
  - apt update
  - apt upgrade -y --allow-downgrades --allow-remove-essential --allow-change-held-packages
  - apt install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
  - sudo install -m 0755 -d /etc/apt/keyrings
  - curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
  - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
  - apt update
  - apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
  - usermod -aG docker SET_USERNAME_HERE # Update with correct username
  - systemctl enable docker
  - systemctl start docker
  - reboot

Conclusion

By following this guide, you've set up a secure, production-ready server named Nexus. You've secured SSH access, created a new user with sudo privileges, and installed Docker to manage your applications. This setup provides a solid foundation for hosting your services. With complete control over your server and minimized costs, you're now ready to scale your projects efficiently.