New Linux Server? Perform These 10 Tweaks First

[00:00] Hello and welcome back to Learn Linux TV. In today's video what I'm going to do is walk you through some of the things that I think you should always do anytime you set up a new Linux server.

[00:23] More specifically, what I'm going to do is walk you through how to install updates, set up a user for yourself so that way you're not using root, and some other things that I think you should always do with every new Linux server build. Now, if you've been following my channel for some time now, then there's nothing new to learn in this video.

[00:38] The thing is, any time I do a build video or a setup video, I walk you guys through the installation of updates and some other things that you should always do with any new Linux server build. So I wanted to create this video to have something to point you guys back to, and that way we could just focus on the build itself,

[00:53] and then this video exists for those of you that need a walkthrough of the minimal things that you should do to set up a Linux server. So let's just go ahead and get right into it, and I'll show you some of the things that you should always do with every new Linux server build.

[01:12] So let's get right into it. Right now I'm connected to my local workstation and what I'll do is use the SSH client to connect to the server that I plan on setting up. If you want more information on the SSH client itself and how to use it, then I'll leave a card for a video right about here that'll walk you through that.

[01:28] Now if you want to learn even more about SSH, I have a dedicated video guide already on this channel. If you want to check that out, then I'll leave a card for that video right about here. Now for this server, I actually don't have a user account set up for myself just yet.

[01:41] So what I need to do is SSH into the server as user root. So I'll type root, and then I'll paste in the IP address. So let's go ahead and get connected. So I'll type in my super secret password.

[01:58] And now I'm logged into the server. Now the first thing that we always want to do with every new Linux server build is we definitely want to install all available updates. Since the updates will often include security patches, that makes them very important.

[02:11] So let's do it. On this particular server right here, I am running Ubuntu 22.04. So the command that I'm about to give you is good for Ubuntu as well as Debian. I'll be showing you another update command for other distributions here very shortly,

[02:26] but let's go ahead and take care of this server right here. In order to get started with updating a Debian or Ubuntu system, the first thing that we'll need to do is update the Package Repository Index. And the command to do that is going to be apt update.

[02:40] If you are not logged in as root, then you'll need to add sudo in front of this command. But since I am logged in as root, then this command will work without sudo. So I'll press enter. Now this command won't result in any packages being updated just yet.

[02:53] So what this is going to do is just synchronize with the server, just find out what packages are available for installation. You should always do that before we run any other app commands for the day. So that's definitely a great thing to get out of the way. And as you can see right here towards the bottom, it tells me that 96 packages can be upgraded.

[03:10] So now that that's taken care of, let's go ahead and actually install the updates. To do that, we'll run apt and then dist-upgrade. Again, you might need std in front of this command if you are not running this root.

[03:23] Just keep that in mind. I'll press enter. Let's go ahead and get this started. So at this point, the command that we just entered is going to offer to install all of the updates that might be available. So we have 96 being upgraded right here along with 7 new packages that are being installed.

[03:39] and that's not unusual. There's going to be dependencies of packages. So a package requiring other packages, that's very common. At the very bottom of the screen, it's asking if we want to continue. We could type Y for yes or M for no, but since Y is capital, that means that Y is the

[03:56] default. So if I press enter right here, it's going to assume yes. So I'll press enter. Let's just go ahead and get these installed. So right now, the server is downloading updated packages from the repositories so I'm going to give this a moment to finish and then I'll be right back.

[04:19] Now if you see a message like this it looks fairly alarming but it's actually harmless. It's just letting you know that the kernel has been updated and a reboot will be required in order to benefit from that new kernel. So we will be rebooting the server before the end of this

[04:35] video but I just wanted to let you know what that means. Anyway I'll press enter right here. You might also see this screen right here and it's asking you for permission to restart services unless you have a service that needs to

[04:47] continue running then you could just safely press enter right here to bypass this particular screen. And now this particular server right here is fully up-to-date. Now what I'm going

[04:59] to do is show you the same process in Fedora. Now when it comes to Fedora and and enterprise Linux distributions that use the DNS package manager then there actually only one step when it comes to updating All we have to do is run dns and then update just like that

[05:16] So again, if you're not logged in as root, you might need to use sudo for this command to work. But since I am logged in as root, then I don't need to add sudo. So anyway, I'll press enter, let's get this process started. So we have a number of updates here and you'll notice at the bottom that Y is lowercase and N is uppercase, which means if I simply press enter right here it's going to cancel the entire thing.

[05:39] So I will need to type Y for yes for this to work, but other than that it's essentially the same exact thing as we just saw in Ubuntu. It's going to download these updates and then install them. So I'll press enter and then I'll let this process finish and I'll be right back.

[05:56] And there we go! All the updated packages have been installed, so we're ready to continue.

[06:10] Now the next thing that we're going to do is create a new user for ourselves, so that way we're not running this root anymore. So if you already have a non-root user account, then you'll need to skip this step. But if your server only has the root account set up so far, then we'll definitely need

[06:24] create a normal user account because running as root is just not a good idea. We definitely want to make sure that we use root only when absolutely required. And the way that we'll do that is actually a bit different on Ubuntu compared to Fedora. The command that we'll use is the add user command. That's

[06:40] the command that we'll use to create a new user account. We'll add the dash M option and that tells the add user command that we would like a home directory for that user and then we'll add dash lowercase t and this option

[06:53] will enable us to choose the default group or primary group for that user and we'll set that to users. We can also add a secondary group with the dash uppercase G option and the group that I want the new user to also be a part of is the

[07:07] wheel group in case of Fedora which is going to give the user access to the sudo command and then we'll type the name of the user that we want to create so in my case I'll just create my user as J so press enter and it might not look

[07:21] like anything has happened however I assure you that the user account has been created. Now there are several ways that we can confirm that the user has been created. One simple method is we could list the storage of the home directory

[07:34] and we'll make sure that the home directory was created and there it is. So the next thing we'll do is type passwd to set the password for the user and then I'll set the password for j that's the user that I just created. So I'll type in a password right now

[07:51] and I'll type it in again and now the user has a password. So now let's see the process of setting up a user account on Ubuntu and Debian.

[08:04] Just like with Fedora, we're going to run the add user command, but the options are going to be completely different. In fact, all we're going to do is add the username right here and that's it.

[08:16] Even though the add user command is in both Debian and Ubuntu as well as Fedora and Enterprise Linux distributions, it's actually a different command here on Ubuntu and Debian. We only need the username. That's about it.

[08:28] So I'll press enter. And now it's asking us to set the password. So I'll set the password to the user right now. And I'll type it in again. And now the password is set.

[08:41] That's going to give us some additional fields to fill out here. Now you can fill these out, or you can just simply skip them by pressing enter. I'll leave that up to you. So I'll press enter for that. That. Again. Again.

[08:53] And that's it. If that's enough to confirm, we can confirm by pressing enter since Y is capital. So that's what I'll do. And if I list the contents of the home directory, you can see that user J now has a home directory.

[09:09] Now there is one more thing that we should do when it comes to Debian and Ubuntu servers while we set up a user account. We should run the user mod command. And what this command will do is enable us to add the user to a group.

[09:23] So add the option "-a", for add to a group. Uppercase G, and that will allow us to type a group name that we want to add a user to. In the case of Debian and Ubuntu, we want to add the user to the sudo group.

[09:37] And as an aside, with Fedora, we added the user to the wheel group. These groups actually serve the same purpose. They give the user access to the sudo command. It's just that by default, Debian and Ubuntu actually names the groups differently.

[09:52] Anyway, next, I'll type the user that I want to add to that group, which is the one that we've just created. So press enter for that. And there we go. And from this point forward, everything that I'm going to show you is going to be universal

[10:06] between distributions. So we're no longer concerned if we're working with the Ubuntu or Fedora servers. Again the commands that I going to give you are universal So what we going to do next is give our server a name Right now it named localhost in my case which isn very descriptive So what we could do is run the command hostname ctl

[10:26] We'll give it the option set-hostname. Then we'll type the name that we want the server to have. As for me, what I'm going to do is name this server cloud-desktop. This is actually for another tutorial

[10:38] that I'm working on right now. So I'm giving the server a name that this use case here. Anyway, I'll press enter and then if we type the hostname command just like that, you can see that the hostname is now cloud-desktop.

[10:53] Now it still shows localhost in the prompt, that's okay. That won't be the case after we reboot the server, but right now we have a name for the server. We've set the hostname. If you have a domain that you plan on using with this server, then

[11:06] you might want to use the domain name as the server's hostname. I have a whole video on this channel that will show you the difference between host names and domain names and I'll give you a link to that video right about here. Now with that out of the

[11:20] way the second part of setting the hosting is also updating the etsy host file with that new name. To do so we could use nano. It doesn't matter what text editor you use but that's the easiest one to explain. Anyway the path is slash etsy slash host that's the file that we're going to edit so

[11:37] press enter and then the file will look something like this what we're going to do is leave localhost alone we want to retain that line we'll add a new line underneath it and we'll add an IP address of 127.0.1.1 we'll press tab and

[11:56] then we'll type the exact same name that we set the hosting to in my case cloud If you're curious why I chose this particular IP address, I chose it because it's different enough from the original or the first IP address here, the local host IP address.

[12:13] It's within the same address space, and this will ensure that the server can ping itself as that hostname. Anyway, I'll save the file by holding Control and pressing O, and then Enter to save the file, and then Control-X to exit out of the editor.

[12:26] So now that that's done, we have the hostname set and we also have the sehostfileset as well. Now there's one more change that we'll want to make to this server before we're finished with today's video.

[12:39] I'll hold ctrl and press D to return to my local command prompt. And the reason for that is because this next process starts on our local machine. We're going to create an SSH key for our servers.

[12:52] Right now, SSH asks for a password when we go to connect to the server. But we really don't want to have password access enabled because with that enabled, then that also allows threat actors to run brute force attacks against our server.

[13:06] With an SSH key, we can actually disable password access and then use only the key to get access to the server. So what I'm going to do right now is walk you through the process of creating an SSH key. Now, if you already have an SSH key, you can skip this step.

[13:20] I'm going to assume that you don't have one if you continue. The command that I'm about to have you run will actually overwrite any SSH keys that you might have, if you have any keys with their default name, so just keep that in mind.

[13:33] Anyway, what we'll do is type SSH-KeyGen, just like that. So I'll press Enter. And it's asking us where we want to save the key. I'm going to accept the default for this. For the passphrase, that gives you extra security.

[13:46] I'm going to bypass that for this particular video. I do recommend that you look into passphrases and SSH agents as another thing that you should learn. I have videos on this channel that goes over all of that, so I'm going to omit that from this video,

[13:59] so I'll just press enter. I'll press enter again, and there we go. We have an SSH key. So now that we have an SSH key, how do we use it? Well, what we need to do is copy it over to our server, and there's a dedicated command that enables us to do that.

[14:15] The next command is ssh-copy-id. We're going to provide it with the option dash I. And then tilde for our home directory, slash dot ssh.

[14:27] We're giving it the path to the key that we've just created. And it was id underscore rsa dot bub. That's the public key. We've created an ssh private key pair here.

[14:39] And then we'll type the username at the remote server. We created a non-root user, so we'll use that user, the one that we just created, app, and then we'll paste in the IP address. And there we go.

[14:52] If this is successful, it's going to copy our public key over to our server. And that's going to allow us to use that key for accessing the server via SSH. So press enter, let's see what happens.

[15:04] So now we'll type the password for our user account on the remote end, the one that we just created. And if I didn't know any better, I would say that the process appears to have been successful. Now another thing that I'm going to do is just back out the IP address here and then

[15:19] paste in the IP address for the Fedora server. So I've pasted that in right there. We type in the password And there we go now we installed our SSH key to the servers that we plan on

[15:35] connecting to now watch what happens when I go to connect to the Ubuntu server I use SSH and then the username J in my case at and then I'll paste in the IP address and I'll press enter and I was logged in without a password that

[15:53] means that we actually access the server via the SSH key. Now if for any reason we want to connect to the server via password authentication we still can. Just because we have an SSH key doesn't mean that password access has been

[16:07] disabled. So what we'll want to do next is actually go ahead and disable SSH password access that'll add a lot more security to our server. To do that now that I'm logged in as a non-root user I need to type sudo. That gives me root

[16:22] privileges and then nano and the file that will edit is under slash etsy slash ssh and then the file name is sshd underscore config that's the config file

[16:35] for the ssh server service itself and by tweaking this file we can actually tweak ssh itself so press enter and now the file is open so there's a few changes that we'll want to make to

[16:51] this file and we're going to want to do this on every server that we maintain. Now be sure to only follow along with what I'm about to do if you've already verified that your SSH key is working and you can access the server via that

[17:04] key. So what I'll do is scroll down and I already see the first option here permit root login. By setting this to no what that's going to do for us is

[17:16] completely disable root login via SSH in particular. That means if someone got a hold of our root password then at least they can't access the server as root via SSH. Now more importantly we're looking for password authentication and

[17:32] I'll center it right here I already see it. As you can see right here password authentication is set to yes. So what we'll want to do is change that to no. So I'll save the file again control O and then enter that saves the file control X that X is

[17:49] out of the editor. Now in order for our changes to SSH to take effect what we'll need to do is restart the SSH service. This command is the same on basically most if not all Linux distributions

[18:01] that I've tested. So we can run sudo and then systemctl restart and then sshd. You want to restart the SSH daemon or service and when we do that it's going to read the

[18:15] values in the SSHD underscore config file and load them into memory. So the changes that we've made you know disabling root access and also disabling password access will take effect right after we do this. So press enter and

[18:29] that's all there is to it. Now before we disconnect a very important thing to do is to open another terminal window and just make sure that we're still able to access this particular server. In my case I'll just open up a new tab here and I'll just run the same command again.

[18:50] And I'm in. And that just makes sure that SSH is in fact working. We definitely don't want to disconnect from our original session until we verify that SSH is still working. Otherwise we might actually lock ourselves out of the server.

[19:03] and we wouldn't want to do that. But anyway, I'll go ahead and disconnect from this particular session here. I don't need it now that I know that the SSH configuration options were successfully set.

[19:15] Now, before I close out the video, one more thing that we'll do is reboot the server. And what this will do for us is make sure that the security patches take effect. Some of them might actually require that we restart the entire server.

[19:27] So to do that, I'll type sudo and then reboot, just like that. It will take probably one to five minutes or so for the server to come back online. But when it does, all of the changes that we've made will be fully in effect.

[19:47] So there you go. We've walked through some of the minimal things that I think everybody should do as a default any time they set up a new Linux server. So we've done things like set up a host name, we've created a user for ourselves, we've also tweaked SSH.

[20:00] So we're in a pretty good place when it comes to our brand new server. Anyway, thank you guys so much for checking out this video. I hope it helped you out. If it did, then please click that like button. And I'll see you again in the next video.

[20:30] Thank you.