What to install in a new Ubuntu Server
Updates
apt update && apt upgrade -y
Install package to get regular security updates apt install unattended-upgrades -y, then check if upgrades are configured properly at: /etc/apt/apt.conf.d/20auto-upgrades Both update-Package-Lists and Unattended-Upgrade should be "1".
Add Admin User that is not root
adduser [name] ...
usermod -aG sudo [name]
- Test the new user before you proceed. You should be able to login and sudo su to root from [name].
SSH
Back a backup of your original config. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.
Change PermitRootLogin no in /etc/ssh/sshd_config
systemctl restart ssh
Make sure that the service is enabled: systemctl enable ssh
- Test this, you should no longer be able to ssh login as root. If there are errors, you can run sshd -t to see errors.
UFW Firewall
Allow ssh ufw allow ssh
Allow http ufw allow 80/tcp
Allow https ufw allow 443/tcp
Enable the firewall: ufw enable
Check status: ufw status verbose
Install Fail2Ban
apt install fail2ban
Configure /etc/fail2ban/jail.conf and add to [ssh] section the following (note the first one found is commented out, so look for the one that is not commented out.).
[ssh] enabled = true maxretry = 3 findtime = 10 bantime = 4h
Restart and enable service:
# systemctl restart fail2ban # systemctl enable fail2ban # systemctl status fail2ban
Setup SSH Login via certificate only
First, let's copy your public key to the server.
ssh-copy-id -i [identity_file] username@ip
Next, we need to edit /etc/ssh/sshd_config
PasswordAuthentication no PubkeyAuthentication yes
Now you can only login via a public key login.
Caddy (Optional)
Installation is easy in Ubuntu 24.04 and the like:
apt install caddy
Now, just follow the documentation on the caddy website
Finally, check to see if caddy will start by default by typing systemctl status caddy
Docker CE (Optional)
Go straight to the source for this: https://docs.docker.com/engine/install/ubuntu/