Set up an Ubuntu 16.04 LTS (Xenial Xerus) virtual private server

Posted by Orville Bennett on February 9, 2016
Read time: about 3 minutes

Update

This is how-to guide is essentially unfinished. Reason? Systemd. Once I realized that Ubuntu 16.04 was using systemd as the init system I decided to start looking at other operating systems to use for my servers. If you care about this sort of thing I written down my reasons for doing so.

Original Post

This post will list the steps I took to set up an Ubuntu 16.04 LTS (16.04 LTS) virtual private server (VPS). As 16.04 hasn’t actually been released yet, I had to do some extra work to get this going.

Install Ubuntu 15.10

First we’ll install Ubuntu 15.10. After that is installed, we will immediately upgrade to 16.04 LTS via apt.

Upgrade Ubuntu 15.10 to Ubuntu 16.04 LTS

Upgrading to the unreleased version of Ubuntu’s LTS was not diffiuclt, but it did require some specialized knowledge of how Ubuntu works. Below, I’ve listed the avenue I took in to get 16.04 LTS on my server.

Modify sources.list

  1. Edit /etc/apt/sources.list and change the URLs to point to an official 16.04 mirror.
    • e.g. I changed all lines in my /etc/apt/sources.list file from mirrors.digitalocean.com to us.archive.ubuntu.com — because I get faster speeds from the US mirrors
  2. Save the file and exit /etc/apt/sources.list.
  3. Begin the upgrade process by executing the command do-release-upgrade -d.1

Read carefully and follow instructions. Once the upgrade is complete you’ll be asked to reboot, do so.

Install any software you’ll need

Ater you upgrade and reboot, the 1st login to your new 16.04 LTS system is a good time to install any software you believe you may need. I like to install zsh and htop. It is also time to uninstall any software you may not think is necessary to the functioning of a server. I removed laptop-detect and os-prober.

Add a new user

Run the following command and fill out the information requested. Remember to choose a secure password and add the user to the wheel group so that they can get admin privileges with sudo.

adduser USERNAME

Setup SSH keys for logging into the remote server

After that’s all done, create an SSH key on your local machine. After creating this SSH key we’ll copy it to your server. You will be asked to enter a password when creating your SSH keys. Be aware that one is not necessary, and as long as no one else has access to your private key, access will be secure. If you don’t wish to add a password for your ssh key, you may hit enter and not type any passwords when prompted.

ssh-keygen -b 4096 -t rsa
scp ~/.ssh/id_rsa.pub REMOTE_SERVER:~
ssh USERNAME@REMOTE_SERVER

You should now be prompted to enter the password for the user you created with adduser on the REMOTE_SERVER. After entering the correct password, you’ll be logged in to the remote server. Now we’ll copy your ssh pubkey to your remote user’s list of authorized keys. This will allow you to use pubkey authentication to log into the server.

cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
exit

Test SSH keys

To test that this was successful, try to log in to the remote server again. If you created an SSH key without a password, you will be logged in automatically. If you created an SSH key password, enter the password and you will be logged in.

ssh USERNAME@REMOTE_SERVER

If this was successful we’ll change some server-side SSH settings to improve security, such as preventing logins by the root user.

Change SSH port number

To make it harder for random scanners to pick up my server, I always change the default SSH port. It is insane how many cracking attempts I avoid by simply not using the default SSH port. If you wish to change the default SSH port as well, edit the /etc/ssh/sshd_config file and change the Port directive. I’ve also modified the other lines listed below.

Port SSH_PORT
LoginGraceTime 25
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no

After making the changes reload the ssh server and check to see that it’s listening on our new port.

sudo systemctl restart ssh
sudo systemctl status ssh

You should see output similar to the following:

REMOTE_SERVER sshd: Server listening on 0.0.0.0 port SSH_PORT.
REMOTE_SERVER sshd: Server listening on :: port SSH_PORT.

Now all that’s left is to open another terminal on your local computer and verify that you can, in fact ssh into your remote server.

ssh -p SSH_PORT USERNAME@REMOTE_SERVER

Set up firewall rules 2

sudo ufw SSH_PORT/tcp

Install web server

sudo aptitude install nginx openssl

sudo ufw 80/tcp
sudo ufw 443/tcp

Strengthen the security of your web server by obtaining an SSL cert and following the instructions at weakdh.org.

List of files edited

/etc/ssh/sshd_config
/etc/nginx/nginx.conf
  1. The -d flag will look for development releases as well which, as of writing, the unreleased Ubuntu 16.04 LTS is. 

  2. Replace SSH_PORT with the actual port that you are using for openssh.