This is how-to guide is essentially unfinished. Reason? Systemd. Once I realized that Ubuntu 16.04 was using systemd as the init system I decided to start looking at other operating systems to use for my servers. If you care about this sort of thing I written down my reasons for doing so.
This post will list the steps I took to set up an Ubuntu 16.04 LTS (16.04 LTS) virtual private server (VPS). As 16.04 hasn’t actually been released yet, I had to do some extra work to get this going.
Install Ubuntu 15.10
First we’ll install Ubuntu 15.10. After that is installed, we will immediately upgrade to 16.04 LTS via apt.
Upgrade Ubuntu 15.10 to Ubuntu 16.04 LTS
Upgrading to the unreleased version of Ubuntu’s LTS was not diffiuclt, but it did require some specialized knowledge of how Ubuntu works. Below, I’ve listed the avenue I took in to get 16.04 LTS on my server.
/etc/apt/sources.listand change the URLs to point to an official 16.04 mirror.
- e.g. I changed all lines in my
us.archive.ubuntu.com— because I get faster speeds from the US mirrors
- e.g. I changed all lines in my
- Save the file and exit
- Begin the upgrade process by executing the command
Read carefully and follow instructions. Once the upgrade is complete you’ll be asked to reboot, do so.
Install any software you’ll need
Ater you upgrade and reboot, the 1st login to your new 16.04 LTS system is a good time to install any software you believe you may need. I like to install
htop. It is also time to uninstall any software you may not think is necessary to the functioning of a server. I removed laptop-detect and os-prober.
Add a new user
Run the following command and fill out the information requested. Remember to choose a secure password and add the user to the wheel group so that they can get admin privileges with
Setup SSH keys for logging into the remote server
After that’s all done, create an SSH key on your local machine. After creating this SSH key we’ll copy it to your server. You will be asked to enter a password when creating your SSH keys. Be aware that one is not necessary, and as long as no one else has access to your private key, access will be secure. If you don’t wish to add a password for your ssh key, you may hit enter and not type any passwords when prompted.
ssh-keygen -b 4096 -t rsa scp ~/.ssh/id_rsa.pub REMOTE_SERVER:~ ssh USERNAME@REMOTE_SERVER
You should now be prompted to enter the password for the user you created with
adduser on the REMOTE_SERVER. After entering the correct password, you’ll be logged in to the remote server. Now we’ll copy your ssh pubkey to your remote user’s list of authorized keys. This will allow you to use pubkey authentication to log into the server.
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys exit
Test SSH keys
To test that this was successful, try to log in to the remote server again. If you created an SSH key without a password, you will be logged in automatically. If you created an SSH key password, enter the password and you will be logged in.
If this was successful we’ll change some server-side SSH settings to improve security, such as preventing logins by the root user.
Change SSH port number
To make it harder for random scanners to pick up my server, I always change the default SSH port. It is insane how many cracking attempts I avoid by simply not using the default SSH port. If you wish to change the default SSH port as well, edit the
/etc/ssh/sshd_config file and change the
Port directive. I’ve also modified the other lines listed below.
Port SSH_PORT LoginGraceTime 25 PermitRootLogin no PasswordAuthentication no X11Forwarding no
After making the changes reload the ssh server and check to see that it’s listening on our new port.
sudo systemctl restart ssh sudo systemctl status ssh
You should see output similar to the following:
REMOTE_SERVER sshd: Server listening on 0.0.0.0 port SSH_PORT. REMOTE_SERVER sshd: Server listening on :: port SSH_PORT.
Now all that’s left is to open another terminal on your local computer and verify that you can, in fact ssh into your remote server.
ssh -p SSH_PORT USERNAME@REMOTE_SERVER
Set up firewall rules 2
sudo ufw SSH_PORT/tcp
Install web server
sudo aptitude install nginx openssl sudo ufw 80/tcp sudo ufw 443/tcp
Strengthen the security of your web server by obtaining an SSL cert and following the instructions at weakdh.org.
List of files edited