Update
This is how-to guide is essentially unfinished. Reason? Systemd. Once I realized that Ubuntu 16.04 was using systemd as the init system I decided to start looking at other operating systems to use for my servers. If you care about this sort of thing I written down my reasons for doing so.
Original Post
This post will list the steps I took to set up an Ubuntu 16.04 LTS (16.04 LTS) virtual private server (VPS). As 16.04 hasn't actually been released yet, I had to do some extra work to get this going.
Install Ubuntu 15.10
First we'll install Ubuntu 15.10. After that is installed, we will immediately upgrade to 16.04 LTS via apt.
Upgrade Ubuntu 15.10 to Ubuntu 16.04 LTS
Upgrading to the unreleased version of Ubuntu's LTS was not diffiuclt, but it did require some specialized knowledge of how Ubuntu works. Below, I've listed the avenue I took in to get 16.04 LTS on my server.
Modify sources.list
- Edit
/etc/apt/sources.list
and change the URLs to point to an official 16.04 mirror.- e.g. I changed all lines in my
/etc/apt/sources.list
file frommirrors.digitalocean.com
tous.archive.ubuntu.com
— because I get faster speeds from the US mirrors
- e.g. I changed all lines in my
- Save the file and exit
/etc/apt/sources.list
. - Begin the upgrade process by executing the command
do-release-upgrade -d
.1
Read carefully and follow instructions. Once the upgrade is complete you'll be asked to reboot, do so.
Install any software you'll need
Ater you upgrade and reboot, the 1st login to your new 16.04 LTS system is a good time to install any software you believe you may need. I like to install zsh
and htop
. It is also time to uninstall any software you may not think is necessary to the functioning of a server. I removed laptop-detect and os-prober.
Add a new user
Run the following command and fill out the information requested. Remember to choose a secure password and add the user to the wheel group so that they can get admin privileges with sudo
.
adduser USERNAME
Setup SSH keys for logging into the remote server
After that's all done, create an SSH key on your local machine. After creating this SSH key we'll copy it to your server. You will be asked to enter a password when creating your SSH keys. Be aware that one is not necessary, and as long as no one else has access to your private key, access will be secure. If you don't wish to add a password for your ssh key, you may hit enter and not type any passwords when prompted.
ssh-keygen -b 4096 -t rsa
scp ~/.ssh/id_rsa.pub REMOTE_SERVER:~
ssh USERNAME@REMOTE_SERVER
You should now be prompted to enter the password for the user you created with adduser
on the REMOTE_SERVER. After entering the correct password, you'll be logged in to the remote server. Now we'll copy your ssh pubkey to your remote user's list of authorized keys. This will allow you to use pubkey authentication to log into the server.
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
exit
Test SSH keys
To test that this was successful, try to log in to the remote server again. If you created an SSH key without a password, you will be logged in automatically. If you created an SSH key password, enter the password and you will be logged in.
ssh USERNAME@REMOTE_SERVER
If this was successful we'll change some server-side SSH settings to improve security, such as preventing logins by the root user.
Change SSH port number
To make it harder for random scanners to pick up my server, I always change the default SSH port. It is insane how many cracking attempts I avoid by simply not using the default SSH port. If you wish to change the default SSH port as well, edit the /etc/ssh/sshd_config
file and change the Port
directive. I've also modified the other lines listed below.
Port SSH_PORT
LoginGraceTime 25
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
After making the changes reload the ssh server and check to see that it's listening on our new port.
sudo systemctl restart ssh
sudo systemctl status ssh
You should see output similar to the following:
REMOTE_SERVER sshd: Server listening on 0.0.0.0 port SSH_PORT.
REMOTE_SERVER sshd: Server listening on :: port SSH_PORT.
Now all that's left is to open another terminal on your local computer and verify that you can, in fact ssh into your remote server.
ssh -p SSH_PORT USERNAME@REMOTE_SERVER
Set up firewall rules 2
sudo ufw SSH_PORT/tcp
Install web server
sudo aptitude install nginx openssl
sudo ufw 80/tcp
sudo ufw 443/tcp
Strengthen the security of your web server by obtaining an SSL cert and following the instructions at weakdh.org.
List of files edited
/etc/ssh/sshd_config
/etc/nginx/nginx.conf
The -d
flag will look for development releases as well which, as of writing, the unreleased Ubuntu 16.04 LTS is.
Replace SSH_PORT with the actual port that you are using for openssh.