🔒Ubuntu Server Initial Setup and Hardening Guide

First-Time Login and Security Configuration

📋Overview

This comprehensive guide will walk you through the essential steps of logging into your Ubuntu server for the first time and implementing critical security hardening measures. Server hardening is the process of securing your system by reducing its attack surface and implementing security best practices.

🎯Prerequisites:

  • A running Ubuntu server instance (Ubuntu 24.04 recommended)
  • Server IP address and root credentials
  • Terminal access (Terminal for Mac/Linux, Git Bash or Windows Terminal for Windows)
  • Basic understanding of SSH protocol

🔐Understanding SSH (Secure Shell)

SSH is a cryptographic network protocol that provides a secure channel over an unsecured network. It enables secure remote login, command execution, and file transfers between computers. SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user.

SSH Connection Flow

Your Computer (Client)
⬇️
SSH Connection Request
⬇️
Server Authentication
⬇️
Password/Key Verification
⬇️
Secure Session Established

🚀Step-by-Step Initial Login Process

Step 1: Verify SSH Directory

Before connecting to your server, ensure the SSH directory exists in your home directory. This directory stores SSH configuration files, known hosts, and authentication keys.

# Navigate to your home directory cd ~ # Create .ssh directory if it doesn't exist (mkdir -p creates parent directories if needed) mkdir -p ~/.ssh # Verify the directory exists ls -a ~/.ssh
⚠️Important:
The .ssh directory is hidden (starts with a dot). Use the -a flag with ls to view hidden files and directories.

Step 2: First SSH Connection

Connect to your server using the SSH command. The syntax follows the pattern: ssh username@server-ip-address

# SSH connection syntax ssh root@your-server-ip-address # Example: ssh [email protected]

Step 3: Accept Server Fingerprint

On first connection, you'll be prompted to verify the server's authenticity through its fingerprint. This is a crucial security measure to prevent man-in-the-middle attacks.

The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established. ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.100' (ECDSA) to the list of known hosts.

🔍What is a Server Fingerprint?

A server fingerprint is a unique identifier for your server's SSH key. It ensures you're connecting to the correct server and not an imposter. The fingerprint is stored locally in the ~/.ssh/known_hosts file.

📁Understanding the known_hosts File

File Structure

The known_hosts file stores fingerprints of servers you've connected to. Each entry contains three sections:

Section Description Example
Hostname/IP Server identifier (hashed for security) |1|base64hash==
Key Type Encryption algorithm used ecdsa-sha2-nistp256
Public Key Base64 encoded server public key AAAAE2VjZHNh...

Viewing and Managing known_hosts

# Navigate to SSH directory cd ~/.ssh # View contents of known_hosts cat known_hosts # View backup file cat known_hosts.old # Remove a specific server fingerprint ssh-keygen -R your-server-ip-address # Example: ssh-keygen -R 192.168.1.100

~/.ssh Directory Structure:

📁 ~/.ssh/
  📄 known_hosts (stores server fingerprints)
  📄 known_hosts.old (automatic backup)
  📄 config (SSH configuration - optional)
  🔑 id_rsa (private key - if using key-based auth)
  🔓 id_rsa.pub (public key - if using key-based auth)

🛡️Server Hardening Process

Hardening involves securing the default settings of the operating system and individual software packages. Many services come with default configurations optimized for functionality rather than security. The hardening process addresses these vulnerabilities.

Hardening Strategy Overview

1
Change Root Password

Replace default credentials with a strong, unique password

2
Create Non-Root User

Add a standard user for daily operations

3
Grant Sudo Privileges

Enable administrative access for the new user

4
Disable Root Login

Prevent direct root access via SSH

Why Hardening Matters

🎯Security Risks of Default Configurations:

  • Web Servers: Apache and Nginx may expose server information in error messages
  • Database Systems: MariaDB/MySQL default configurations might allow remote root access
  • SSH Service: Root login enabled by default increases attack surface
  • Default Ports: Well-known ports are primary targets for automated attacks

Example: Apache Hardening

# Default Apache configuration (VULNERABLE) ServerTokens Full ServerSignature On # Exposes: Apache/2.4.41 (Ubuntu) PHP/7.4.3 # Hardened Apache configuration (SECURE) ServerTokens Prod ServerSignature Off # Exposes: Apache (minimal information)

Example: MariaDB Hardening

# Run the security script after installation sudo mysql_secure_installation # This will: # - Set root password # - Remove anonymous users # - Disallow root login remotely # - Remove test database # - Reload privilege tables

📝Hardening Steps as Root User

Step 1: Change Root Password

The first security measure is to change the root password from the default or temporary password provided by your hosting provider.

# Change root password passwd # You will be prompted: # Enter new UNIX password: # Retype new UNIX password: # passwd: password updated successfully

💡Password Best Practices:

  • Minimum 12 characters length
  • Mix of uppercase, lowercase, numbers, and special characters
  • Avoid dictionary words or personal information
  • Use a password manager to generate and store strong passwords

Step 2: Create Non-Root User

Creating a non-root user for daily operations follows the principle of least privilege, reducing potential damage from compromised credentials.

# Add a new user (replace 'username' with your desired username) adduser username # You will be prompted for: # - Password (twice) # - Full Name # - Room Number (optional) # - Work Phone (optional) # - Home Phone (optional) # - Other (optional) # Example: adduser john

Step 3: Grant Sudo Privileges

The new user needs sudo (superuser do) privileges to perform administrative tasks. This allows controlled elevation of privileges when needed.

# Add user to sudo group usermod -aG sudo username # Example: usermod -aG sudo john # Verify the user is in sudo group groups username

Step 4: Disable Root Login (SSH Configuration)

Disabling direct root login via SSH is a critical security measure. Attackers often target the root account, and this configuration forces the use of individual user accounts.

# Edit SSH daemon configuration nano /etc/ssh/sshd_config # Find and modify the following line: # PermitRootLogin yes # Change to: PermitRootLogin no # Save and exit (Ctrl+X, then Y, then Enter) # Restart SSH service to apply changes systemctl restart sshd

⚠️Critical Warning:

Before disabling root login, ensure you have:

  • Created a non-root user successfully
  • Granted sudo privileges to that user
  • Tested logging in with the new user account
  • Verified sudo access works correctly

Failure to do so may lock you out of your server!

🔄Command History Navigation

Terminal efficiency tip: Use arrow keys to navigate through command history instead of retyping commands.

# Keyboard shortcuts: # ↑ (Up Arrow) - Previous command # ↓ (Down Arrow) - Next command # ← (Left Arrow) - Move cursor left # → (Right Arrow) - Move cursor right # Example workflow: # Press ↑ to repeat: ssh [email protected] # Press ↑ again to go back further in history

📊Summary Workflow Diagram

Complete Initial Setup Process

1. Verify ~/.ssh Directory
⬇️
2. First SSH Login as Root
⬇️
3. Accept Server Fingerprint
⬇️
4. Change Root Password
⬇️
5. Create Non-Root User
⬇️
6. Grant Sudo Privileges
⬇️
7. Disable Root SSH Login
⬇️
8. Logout and Login as New User

🎓Key Takeaways

Essential Security Principles:

  • Defense in Depth: Multiple layers of security protect against various attack vectors
  • Least Privilege: Users should have only the minimum permissions necessary
  • Secure Defaults: Never rely on default configurations in production
  • Regular Updates: Keep your system and software packages up to date
  • Audit Trail: Using individual user accounts creates accountability

🔧Next Steps

After completing this initial hardening, additional security measures should include:

📚Additional Resources:

  • Ubuntu Server Documentation: https://ubuntu.com/server/docs
  • SSH Protocol Specification: RFC 4251-4254
  • Center for Internet Security (CIS) Ubuntu Benchmarks
  • NIST Cybersecurity Framework