Server Setup

Very basic server setup for Ubuntu server.

Initial update

apt update
apt upgrade

Create a user

adduser myuser

Add the user to the sudo group if necessary:

adduser myuser sudo

SSH configuration

Upload the user’s public key:

ssh -i ~/.ssh/mykey myuser@host

Set up /etc/ssh/sshd_config:

PermitRootLogin no
StrictMode yes
PubkeyAuthentication yes
PasswordAuthentication no
X11Forwarding no  # Unless you intend to use GUI on the server.

Restart the SSH daemon:

systemctl restart sshd

Enable automatic security updates

sudo apt install unattended-upgrades

Then set up /etc/apt/apt.conf.d/10periodic:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Make sure unattended security updates are enabled in /etc/apt/apt.conf.d/50unattended-upgrades:

"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";

fail2ban

apt install fail2ban

Firewall

apt install ufw

Allow SSH access and enable the firewall:

ufw allow ssh
ufw enable

Then allow additional ports as required by the services running on the host. For example, for HTTP:

ufw allow 80
ufw allow 443

Logwatch

apt install logtwatch

Send emails daily:

nano /etc/cron.daily/00logwatch

/usr/sbin/logwatch --output mail --mailto admin@domain.com --detail high

Change the address from which the email appears to come from:

nano /usr/share/logwatch/dist.conf/logwatch.conf

MailFrom = server-name

Apparmor

apt install apparmor apparmor-profiles

Make sure to install apparmor-profiles, which includes profiles for everyday applications.

Nginx

Modern SSL/TLS Configuration

SSL Config - Generate a config for the web server.

SSL Test - Test the server.

Headers

X-Frame-Options

add_header X-Frame-Options DENY always;

DENY is a better default. Use SAMEORIGIN if the web application requires iframes of its own.

Resources

Ubuntu Server Guide

Debian Unattended Upgrades