What to install in a new Ubuntu Server

Updates

1. apt update && apt upgrade -y

2. Install package to get regular security updates apt install unattended-upgrades -y, then check if upgrades are configured properly at: /etc/apt/apt.conf.d/20auto-upgrades  Both update-Package-Lists and Unattended-Upgrade should be "1".

Add Admin User that is not root

1. adduser [name] ...

2. usermod -aG sudo [name]

3. Test the new user before you proceed. You should be able to login and sudo su to root from [name].

SSH

1. Back a backup of your original config. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.

2. Change PermitRootLogin no in /etc/ssh/sshd_config

3. systemctl restart ssh

4. Make sure that the service is enabled: systemctl enable ssh

5. Test this, you should no longer be able to ssh login as root. If there are errors, you can run sshd -t to see errors.

UFW Firewall

1. Allow ssh ufw allow ssh

2. Allow http ufw allow 80/tcp

3. Allow https ufw allow 443/tcp

Enable the firewall: ufw enable

Check status: ufw status verbose

Install Fail2Ban

1. apt install fail2ban

Configure /etc/fail2ban/jail.conf and add to [ssh] section the following (note the first one found is commented out, so look for the one that is not commented out.).

[ssh]
enabled = true
maxretry = 3
findtime = 10
bantime = 4h

Restart and enable service:

# systemctl restart fail2ban
# systemctl enable fail2ban
# systemctl status fail2ban

Setup SSH Login via certificate only

First, let's copy your public key to the server.

ssh-copy-id -i [identity_file] username@ip

Next, we need to edit /etc/ssh/sshd_config

PasswordAuthentication no
PubkeyAuthentication yes

Now you can only login via a public key login.

Caddy (Optional)