There are a lot of great guides out there explaining how to do this — such as this, from Linode — but I find it helpful to write out the process myself, along with anything that typically confuses me, so I can reference it in the future.
The below assumes you’ve already created an authentication key-pair. For more details about this see this section of the Linode Documentation.
Update and Upgrade
Once you’ve booted your server and logged in as the root user, you’ll want to update and upgrade Ubuntu:
apt-get update && apt-get upgrade
Set Your Hostname
your_hostname_here with your hostname:
hostnamectl set-hostname your_hostname_here
To see if your hostname stuck, run:
You should see the name of your hostname output to the terminal window.
Update /etc/hosts file
You can do this using the nano text editor:
You should see the below, but
126.96.36.1990 will be your IPv4 address, and
your_hostname will be the hostname you set above.
188.8.131.520 your_hostname# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
To exit the nano editor, press ctrl + x, then y (to save), then Enter (to exit the editor).
Set your timezone:
You’ll see a screen prompting you to set up your timezone. Run through the prompts.
date command to check that your date and time are accurate:
Mon Aug 20 05:46:18 EDT 2018
Next, you’ll want to secure your server. This step is very important for preventing unauthorized access to your server.
Up till this point you’ve been entering commands as the
root user. To help secure your server you’ll want to create a limited user account, give this limited user
sudo privileges, then remove root login access, so that only your limited
sudo user can login.
your_limited_user with the name of your user:
You will be prompted to enter a password twice for this user. Make it a good one!
You will also be prompted to enter values for this user’s name, etc., but you can leave these blank. Press ENTER for the defaults.
Enter the new value, or press ENTER for the default
Full Name :
Room Number :
Work Phone :
Home Phone :
Is the information correct? [Y/n]
Give this user sudo privileges:
adduser your_limited_user sudo
You should see confirmation that
your_limited_user was added to
Adding user 'your_limited_user' to group 'sudo' ...
Adding user your_limited_user to group sudo
Now switch to this limited user and we will start to execute commands as the limited
sudo user. Enter the below command, replacing
your_limited_user with the name of your
sudo user. (
su stands for ‘switch user’.)
If you’re prompted to enter your password for
your_limited_user go ahead. You should now see your command prompt change to reflect your limited user:
cd and your will be brought to your home directory. The
~ represents your home directory:
Now that your logged in as
your_limited_user your can create the directory where your pub key will go.
chmod -R 700 gives you — the limited user — permission to read, write and execute in this directory.
mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
From your local computer, you can copy your pub key to the
.ssh directory using the following command.
scp stands for secure copy. And again, replace
your_limited_user and the IP address with yours.
scp ~/.ssh/id_rsa.pub email@example.com:~/.ssh/authorized_keys
Enter your limited user’s password. You should see confirmation in your local computer’s terminal:
id_rsa.pub 100% 763 16.2KB/s 00:00
To confirm, on your server’s terminal window, if you type
ls ~/.ssh you should see that it created your
authorized_keys file. If you
cd into your
.ssh directory and
cat authorized_keys you should see the output of your pub key in the terminal window. Once confirmed you’re good to proceed.
This next step is where you will actually disable root login access. Before doing this you want to make sure you did the previous steps properly. Otherwise, you won’t be able to login later with your limited
sudo nano /etc/ssh/sshd_config
Change this line:
And this line:
(You’ll need to remove the # to uncomment the line.)
Restart ssh for the new configuration to take effect:
sudo systemctl restart sshd
Your server is now secure.