Setting up a new server
Published on 2015-12-31
How do you set up a new server?
These days I find myself spinning up a lot of servers, both virtual in datacenters around the world - and physical ones more close to me. The operating system I most often choose is Ubuntu - going with the LTS version where it makes sense.
There are a lot of tasks that needs to be done when settings up a server which will ensure the overall security and stability of the system (in the following I assume that the machine is already configured to run the SSH server).
root access via SSH
root user should not be able to log in remotely. There are two main
reasons for this. First of all every linux system has a
This means that an attacker already knows the username and only needs to
brute force the password to get access.
root access means you give access to everything all the
time. On the other hand access given through
sudo will be logged and users
doing so can be held accountable - this might even be needed in the
case of auditing eg.
2. Upgrade installed packages
This should be a no brainer: Before putting a server into production you upgrade the software on it. On Ubuntu this is done by running:
sudo apt-get update sudo apt-get dist-upgrade
3. Install the software stack you need
You should have an idea about what application you want to run on the server.
The applications needs a software stack of some kind to run - and at this point you should install it.
As a rule of thumb you should install a bare minimum of software packages and services to run your application - by doing so you will minimize:
- Packages that you must keep up-to-date
- Possible attack vectors
- Network resources used and/or ports you need to manage and possibly keep open (see the next point)
Generally, you remove things that can go wrong when running the server - which is welcome.
4. Check open ports
You should configure some kind of firewall to restrict access to whatever
you need. For example running a
MySQL server on port
bind it (in the current default configuration) to the address
Most of the servers/services you install will mirror a behavior like this
but that doesn't mean you're off the hook.
You should be pro-active and close down every network port on the system and explicitly open the ones that the outside world need. By doing this you can trust that any change in default configurations or additional services won't cause the world to have access to your stuff.
The above four steps is defined in very broad terms and will most likely require a lot of work on your end according to your needs.
When you are through it is time for the (first) reboot of the server. After reboot you can assure that everything is running as intented.