Ubuntu Server Initial Setup Tutorial: Complete Security & User Guide

Why Proper Ubuntu Server Initial Setup Matters

A fresh Ubuntu server installation is vulnerable by default. You get root access, basic networking, and little else protecting your system from attacks.

This tutorial walks through the essential Ubuntu server initial setup steps. These transform a bare installation into a production-ready environment. You'll configure user accounts, harden SSH access, set up firewall rules, and implement basic security measures.

These steps prevent common attack vectors and establish a solid foundation for hosting applications. This guide assumes you have a fresh Ubuntu 24.04 LTS server with root access. The commands work on physical servers, VPS instances, or cloud environments.

For hosting applications, consider Hostperl VPS hosting which provides pre-configured Ubuntu environments with professional support.

Create a Non-Root User with Sudo Privileges

Never run applications as root. Start by creating a regular user account with sudo privileges for administrative tasks.

Log into your server as root and create a new user:

adduser username

Replace "username" with your desired username. The system prompts for a password and optional user information. Use a strong password—this account will have administrative privileges.

Add the user to the sudo group:

usermod -aG sudo username

Test sudo access by switching to the new user:

su - username
sudo apt update

If the command runs without errors, sudo is configured correctly.

Configure SSH Key Authentication

SSH keys provide stronger authentication than passwords. Generate keys on your local machine, then copy the public key to your server.

On your local computer (not the server), generate an SSH key pair:

ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"

Press Enter to save the key in the default location (~/.ssh/id_rsa). Use a passphrase for additional security.

Copy the public key to your server using ssh-copy-id:

ssh-copy-id username@your_server_ip

Alternatively, copy the key manually. On your local machine, display the public key:

cat ~/.ssh/id_rsa.pub

On the server, create the SSH directory and authorized_keys file:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys

Paste your public key into this file, save it, and set correct permissions:

chmod 600 ~/.ssh/authorized_keys

Test the connection by logging out and connecting with your key:

ssh username@your_server_ip

Harden SSH Configuration

Default SSH settings allow password authentication and root login. Disable these features to prevent brute-force attacks.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find and modify these lines:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 2222

Changing the port from 22 to something else reduces automated attacks. Choose any unused port between 1024-65535.

Add these additional security measures:

MaxAuthTries 3
MaxStartups 2
LoginGraceTime 20
AllowUsers username

Replace "username" with your actual username. This prevents other users from connecting via SSH.

Test the configuration before restarting SSH:

sudo sshd -t

If no errors appear, restart the SSH service:

sudo systemctl restart ssh

Keep your current SSH session open. Test the new configuration in a separate terminal window.

Set Up UFW Firewall

Ubuntu includes UFW (Uncomplicated Firewall) for managing iptables rules. Configure it to allow only necessary traffic.

Check UFW status:

sudo ufw status

UFW is typically inactive on fresh installations. Before enabling it, allow SSH connections on your custom port:

sudo ufw allow 2222/tcp

Replace 2222 with your actual SSH port. Now enable UFW:

sudo ufw enable

Allow HTTP and HTTPS traffic if you plan to run web services:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

View current rules:

sudo ufw status numbered

This shows all active rules with numbers for easy management. You can delete rules by number if needed:

sudo ufw delete 3

Configure Automatic Security Updates

Enable automatic installation of security updates. This keeps your system patched against vulnerabilities.

Install the unattended-upgrades package:

sudo apt install unattended-upgrades

Configure automatic updates:

sudo dpkg-reconfigure -plow unattended-upgrades

Select "Yes" when prompted to enable automatic updates.

Edit the configuration to customize update behavior:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Uncomment these lines to enable security updates:

"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";

Enable automatic reboot for kernel updates by uncommenting:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

The system will now install security updates automatically. It will reboot at 2 AM when required.

Install Fail2Ban for Intrusion Prevention

Fail2ban monitors log files. It blocks IP addresses that show repeated failed login attempts.

Install Fail2ban:

sudo apt install fail2ban

Create a local configuration file:

sudo nano /etc/fail2ban/jail.local

Add this configuration:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

This blocks IPs for 1 hour after 3 failed attempts within 10 minutes. Adjust the port to match your SSH configuration.

Start and enable Fail2ban:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Check the status:

sudo fail2ban-client status
sudo fail2ban-client status sshd

The second command shows currently banned IPs and statistics for the SSH jail.

Set Up Time Synchronization

Accurate time is crucial for logs, SSL certificates, and scheduled tasks. Ubuntu uses systemd-timesyncd by default.

Check time synchronization status:

timedatectl status

If NTP service is not active, enable it:

sudo timedatectl set-ntp true

Set your timezone:

sudo timedatectl set-timezone America/New_York

List available timezones:

timedatectl list-timezones

Verify the configuration:

timedatectl status

You should see "NTP service: active" and your correct timezone.

Configure System Monitoring

Basic monitoring helps identify performance issues early. Install and configure essential monitoring tools.

Install htop for better process monitoring:

sudo apt install htop

Install iotop for disk I/O monitoring:

sudo apt install iotop

Set up log rotation to prevent disk space issues:

sudo nano /etc/logrotate.d/custom

Add configuration for application logs:

/var/log/app/*.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 644 root root
}

This rotates logs daily and keeps 30 days of compressed logs.

For production environments requiring comprehensive monitoring, our managed VPS hosting includes built-in monitoring and alerting systems.

Final Security Hardening Steps

Complete your server setup with these additional security measures.

Disable unused network services:

sudo systemctl list-unit-files --type=service --state=enabled

Review the list and disable services you don't need:

sudo systemctl disable service_name
sudo systemctl stop service_name

Set up a basic intrusion detection system with AIDE:

sudo apt install aide
sudo aideinit

This creates a database of file checksums for detecting unauthorized changes.

Configure kernel parameters for security:

sudo nano /etc/sysctl.d/99-security.conf

Add these settings:

# Disable IP forwarding
net.ipv4.ip_forward = 0

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Ignore ICMP ping requests
net.ipv4.icmp_echo_ignore_all = 1

Apply the changes:

sudo sysctl -p /etc/sysctl.d/99-security.conf

Testing Your Server Setup

Verify all configurations work correctly before deploying applications.

Test SSH access from a different IP address or network:

ssh -p 2222 username@your_server_ip

Verify firewall rules block unwanted traffic:

nmap -sS your_server_ip

Only your allowed ports should appear as open.

Check system logs for any issues:

sudo journalctl -f

Monitor in real-time for authentication attempts and system events.

Test automatic updates by checking the log:

sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

Your server now has proper user management, SSH security, firewall protection, and basic monitoring. This foundation secures your Ubuntu installation and prepares it for hosting applications.

Frequently Asked Questions

Should I use a different SSH port?

Yes, changing from port 22 reduces automated attacks significantly. Choose an unused port above 1024 and update your firewall rules accordingly.

How often should I update my server?

Security updates should install automatically. Check for general updates monthly with sudo apt update && sudo apt upgrade. Always test updates in a staging environment first.

What if I get locked out after changing SSH settings?

Keep your current SSH session open while testing new settings. Most VPS providers offer console access through their control panel as a backup connection method.

Do I need additional security tools?

The setup in this tutorial covers basic security needs. For production environments, consider adding intrusion detection systems, centralized logging, and regular security audits.

How do I monitor server performance after setup?

Use htop for real-time process monitoring, iotop for disk activity, and check system logs regularly. Consider implementing a comprehensive monitoring solution for production workloads.