Setting up a new server

Published on 2015-12-31

How do you set up a new server?

These days I find myself spinning up a lot of servers, both virtual in datacenters around the world - and physical ones more close to me. The operating system I most often choose is Ubuntu - going with the LTS version where it makes sense.

There are a lot of tasks that needs to be done when settings up a server which will ensure the overall security and stability of the system (in the following I assume that the machine is already configured to run the SSH server).

1. Disable root access via SSH

The root user should not be able to log in remotely. There are two main reasons for this. First of all every linux system has a root account. This means that an attacker already knows the username and only needs to brute force the password to get access.

Secondly giving root access means you give access to everything all the time. On the other hand access given through sudo will be logged and users doing so can be held accountable - this might even be needed in the case of auditing eg.

2. Upgrade installed packages

This should be a no brainer: Before putting a server into production you upgrade the software on it. On Ubuntu this is done by running:

sudo apt-get update
sudo apt-get dist-upgrade

3. Install the software stack you need

You should have an idea about what application you want to run on the server.

The applications needs a software stack of some kind to run - and at this point you should install it.

As a rule of thumb you should install a bare minimum of software packages and services to run your application - by doing so you will minimize:

  • Packages that you must keep up-to-date
  • Possible attack vectors
  • Network resources used and/or ports you need to manage and possibly keep open (see the next point)

Generally, you remove things that can go wrong when running the server - which is welcome.

4. Check open ports

You should configure some kind of firewall to restrict access to whatever you need. For example running a MySQL server on port 3306 will bind it (in the current default configuration) to the address 127.0.0.1. Most of the servers/services you install will mirror a behavior like this but that doesn't mean you're off the hook.

You should be pro-active and close down every network port on the system and explicitly open the ones that the outside world need. By doing this you can trust that any change in default configurations or additional services won't cause the world to have access to your stuff.

5. Restart

The above four steps is defined in very broad terms and will most likely require a lot of work on your end according to your needs.

When you are through it is time for the (first) reboot of the server. After reboot you can assure that everything is running as intented.