Initial server setup guide for Ubuntu 16.04


Full article


When you first create a new Ubuntu 16.04 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions.

Step 1 — Root Login

To log into your server, you will need to know your server's public IP address. You will also need the password or, if you installed an SSH key for authentication, the private key for the "root" user's account.
ssh [email protected]_server_ip
The root password will be emailed uppon instance creation.

Step 2 — Install some needed libraries.

To log in as root, type: sudo -i, that way you can execute the command line below, in some servers the access is different. Let's update:
sudo apt-get update && apt-get dist-upgrade -y
Note: dist-upgrade is similar to upgrade but handles dependencies and conflict-resolution better.

Add to the list anything you may want.
sudo apt-get install -y unzip build-essential libssl-dev libffi-dev git nginx mysql-server gcc g++ make

  • python3-pip is used to manage software packages for Python

A tool for use with Python, pip installs and manages programming packages we may want to use in our development projects. You can install Python packages by typing:

pip3 install package_name

Step 3 — Install Nginx

Open the installation in a new tab and continue with the next steps: Nginx

Step 4 — Create a New User

This example creates a new user called "ana", but you should replace it with a username that you like:
sudo adduser arturo

Step 5 — Root Privileges

Now, we have a new user account with regular account privileges. However, we may sometimes need to do administrative tasks.
sudo usermod -aG sudo arturo
gpasswd -a arturo sudo

The gpasswd command is used to administer /etc/group, and /etc/gshadow. Every group can have administrators, members and a password. The -a means add user.
The usermod command modifies the system account files to reflect the changes that are specified on the command line. The -a adds the user to the supplementary group(s) and -g refers to the group name or number of the user's new initial login group. The group must exist.

Add read/write privileges to group sudo, set the correct permissions on /var/www, this will also allow you to upload to /var/www/ via SFTP:
sudo chgrp -R sudo /var/www
sudo chmod -R g+w /var/www

Additionally, you should make the directory and all directories below it "set GID", so that all new files and directories created under /var/www are owned by the sudo group:
sudo find /var/www -type d -exec chmod 2775 {} \;

Find all files in /var/www and add read and write permission for owner and group:
sudo find /var/www -type f -exec chmod ug+rw {} \;

Step 6 — Test Log In

You can change user or log out, to change user type:
su - arturo

Step 7 — Set Up a Firewall

Ubuntu 16.04 servers can use the UFW firewall to make sure only connections to certain services are allowed. We can set up a basic firewall very easily using this application.

Making sure you have installed UFW: sudo apt-get install ufw -y

Setting Up Default Policies:
If you're just getting started with your firewall, the first rules to define are your default policies. These rules control how to handle traffic that does not explicitly match any other rules. By default, UFW is set to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your cloud server would not be able to connect, while any application within the server would be able to reach the outside world.

Let's set your UFW rules back to the defaults so we can be sure that you'll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:
sudo ufw default deny incoming
sudo ufw default allow outgoing

These commands set the defaults to deny incoming and allow outgoing connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users. We'll look into that next.

We need to make sure that the firewall allows SSH connections so that we can log back in next time. We can allow these connections by typing:
sudo ufw allow ssh

Afterwards, we can enable the firewall by typing:
sudo ufw enable

You can see that SSH connections are still allowed by typing:
sudo ufw status

This will create firewall rules that will allow all connections on port 22, which is the port that the SSH daemon listens on by default. UFW knows what SSH and a number of other service names mean because they're listed as services in the /etc/services file.

Allowing Other Connections:
At this point, you should allow all of the other connections that your server needs to respond to. The connections that you should allow depends your specific needs. Luckily, you already know how to write rules that allow connections based on a service name or port; we already did this for SSH on port 22. You can also do this for:

HTTP on port 80, which is what unencrypted web servers use, using sudo ufw allow http or sudo ufw allow 80
HTTPS on port 443, which is what encrypted web servers use, using sudo ufw allow https or sudo ufw allow 443
FTP on port 21, which is used for unencrypted file transfers (which you probably shouldn't use anyway), using sudo ufw allow ftp or sudo ufw allow 21/tcp

Step 8 — Configure Timezones and Network Time Protocol Synchronization

The next step is to set the localization settings for your server and configure the Network Time Protocol (NTP) synchronization.

The first step will ensure that your server is operating under the correct time zone. The second step will configure your system to synchronize its system clock to the standard time maintained by a global network of NTP servers. This will help prevent some inconsistent behavior that can arise from out-of-sync clocks.

Configure Timezones
sudo dpkg-reconfigure tzdata

You will be presented with a menu system that allows you to select the geographic region of your server:
After selecting an area, you will have the ability to choose the specific time zone that is appropriate for your server:
Next, we will move on to configure NTP.

Configure NTP Synchronization
Now that you have your timezone set, we should configure NTP. This will allow your computer to stay in sync with other servers, leading to more predictability in operations that rely on having the correct time.

For NTP synchronization, we will use a service called ntp, which we can install from Ubuntu's default repositories:
sudo apt-get update
sudo apt-get install ntp

Create a Swap File

Adding "swap" to a Linux server allows the system to move the less frequently accessed information of a running program from RAM to a location on disk. Accessing data stored on disk is much slower than accessing RAM, but having swap available can often be the difference between your application staying alive and crashing. This is especially useful if you plan to host any databases on your system.

Advice about the best size for a swap space varies significantly depending on the source consulted. Generally, an amount equal to or double the amount of RAM on your system is a good starting point.

Allocate the space you want to use for your swap file using the fallocate utility. For example, if we need a 4 Gigabyte file, we can create a swap file located at /swapfile by typing: sudo fallocate -l 4G /swapfile

After creating the file, we need to restrict access to the file so that other users or processes cannot see what is written there: sudo chmod 600 /swapfile

We now have a file with the correct permissions. To tell our system to format the file for swap, we can type: sudo mkswap /swapfile

Now, tell the system it can use the swap file by typing: sudo swapon /swapfile

Our system is using the swap file for this session, but we need to modify a system file so that our server will do this automatically at boot. You can do this by typing:
sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'

Take a Snapshot of your Current Configuration

What's next?

Check out this Index page