The first steps after receiving a server (whether it's a VPS, VDS, or dedicated) are critically important. Proper initial setup lays the foundation for the security, stability, and performance of future services. We will go through all the necessary stages in detail: from choosing the type of server and operating system to basic security configuration. By the end of this guide, you will have a minimally configured, secure server ready for the installation of a web server, database, or other necessary software.
Choosing the Server Type and Operating System
VPS, VDS, or Dedicated Server? A Brief Overview:
- VPS (Virtual Private Server):
- A virtual server created on a physical host using virtualization technologies (often OpenVZ or KVM). Resources (CPU, RAM, disk) are shared among multiple VPS instances. It offers a good price-to-performance ratio for startups and medium workloads. The level of isolation depends on the type of virtualization (KVM is preferable).
- VDS (Virtual Dedicated Server):
- Essentially a synonym for VPS on KVM virtualization, emphasizing a higher degree of isolation and guaranteed resources. Often used as a marketing term.
- Dedicated Server:
- A physical server entirely at your disposal. It provides maximum performance, control, and isolation. Requires more administrative skills and is significantly more expensive.
Conclusion for Starting Out:
- For most tasks (websites, small applications), the optimal choice is a VPS/VDS on KVM .
Choosing a Linux Distribution:
- Ubuntu Server LTS (Long-Term Support):
- Highly recommended. It has a large community, extensive documentation, repositories with up-to-date packages, and guaranteed security updates for 5 years. Stability and convenience for beginners.
- Debian:
- The epitome of stability and free software philosophy. Slightly more conservative in package versions than Ubuntu. An excellent alternative with a long support cycle for stable branches.
Recommendation:
- Ubuntu Server LTS (e.g., 22.04 Jammy Jellyfish) is the best choice to start with due to its simplicity, support, and prevalence.
Minimal Installation of the Operating System
Most providers offer automatic OS installation through a control panel (ISPmanager, cPanel, SolusVM, Proxmox, or their own solution). If you are installing from an ISO image:
- Boot from the installation media (ISO).
- Select the language and keyboard layout.
- Configure the network (usually DHCP is enabled by default).
- Key Step: When choosing the installation type, be sure to select "Minimal Installation" or a similar option. This will install only the base system without unnecessary software (graphical interface, office packages, etc.).
- Configure the disk (usually, the default scheme for the entire disk with or without LVM is suitable).
- Set the server name (hostname), for example, server1.
- Specify your geographical location for the correct time zone.
- Create the Initial User:
- Enter the full name (you can repeat the username).
- Set the username (e.g., admin or your name). Remember it!
- Set a strong password! This account will have administrator rights (sudo). Write the password in a secure place!
- Start the installation. Wait for it to complete and reboot the server.
Initial Operating System Configuration (After First Login)
Log in to the server using the account created during installation via SSH (for Windows, use PuTTY or Windows Terminal; for Linux/macOS, use the built-in terminal: ssh your_user@server_ip_address).
Updating Repositories and the System:
Always update the package lists and the system first. This closes known security vulnerabilities and ensures stability.
sudo apt update && sudo apt upgrade -y- sudo apt update: Updates information about available packages from the repositories.
- sudo apt upgrade -y: Installs updates for all installed packages (-y automatically confirms the action).
- If the kernel has been updated, a reboot will be required: sudo reboot.
Creating and Configuring a New User (Optional but Recommended):
Although you already have a user with sudo, creating a separate user for everyday tasks is a good security practice.
- Create a user (replace newuser with the desired name):
sudo adduser newuserFollow the prompts to set a password and additional information (can be left blank).
- Grant the new user sudo privileges:
sudo usermod -aG sudo newuser- Check:
- Log out (exit) and log in as the new user (ssh newuser@server_ip_address). Try running a command with sudo (e.g., sudo ls -l /root). You will be prompted to enter the new user's password. If the command executes, sudo privileges are working.
Setting Up SSH Key Authentication (Extremely Important!):
Passwords are vulnerable to brute-force attacks. Authentication via cryptographic keys is much more secure.
- On your local computer (client): Generate an SSH key pair (if you don't already have one):
ssh-keygen -t ed25519 -C "your_email@example.com" # Preferred modern algorithm
# OR, if ed25519 is not supported:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Press Enter to accept the default values (files will be saved in ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub). Protect the key with a passphrase if you set one.
- Copy the public key to the server:
ssh-copy-id newuser@server_ip_addressEnter the password for the newuser on the server. The key will be added to the ~/.ssh/authorized_keys file for that user.
- If ssh-copy-id is not available: Copy the contents of the ~/.ssh/id_ed25519.pub (or id_rsa.pub) file on the client and manually add it to the ~/.ssh/authorized_keys file on the server (create the ~/.ssh directory with 700 permissions and the authorized_keys file with 600 permissions if they don't exist).
- Check key-based login: Try logging into the server: ssh newuser@server_ip_address. If the key is set up correctly, you should log in without being prompted for the user's password (you may be prompted for the key's passphrase if you set one).
- Disable password authentication (Only after successfully testing the key!):
Open the SSH daemon configuration:
sudo nano /etc/ssh/sshd_configFind and modify the directives:
PasswordAuthentication no # Disable password authentication
PermitRootLogin no # Disable root login (should already be set after Ubuntu/Debian installation, but check)
PubkeyAuthentication yes # Enable key authentication (usually 'yes' by default)
Save the file (Ctrl+O, Enter in nano). Exit (Ctrl+X).
- Apply the changes by restarting the SSH daemon:
sudo systemctl restart ssh
# OR on some systems
sudo systemctl restart sshd
Important! Do not close the current SSH session! Open a new terminal window and try logging in again. Ensure that key-based login works and the password is no longer prompted. Only then close the original session.
Configuring System Time (NTP):
Correct time is essential for logs, certificate operations (HTTPS), and application synchronization. Ubuntu/Debian uses systemd-timesyncd.
- Check the current status:
timedatectl statusPay attention to the lines System clock synchronized: (should be yes) and NTP service: (should be active).
- If NTP is not active:
sudo timedatectl set-ntp on- Ensure the service is running and time is synchronized:
timedatectl status- If necessary, install the package (usually pre-installed):
sudo apt install systemd-timesyncd(Optional) Check which servers are used for time synchronization: timedatectl show-timesync.
Setting Up a Basic Firewall (UFW - Uncomplicated Firewall):
UFW is a simple frontend for managing the firewall over iptables/nftables.
- Install UFW (if not installed):
sudo apt install ufw- Set default policies:
sudo ufw default deny incoming # Block ALL incoming connections
sudo ufw default allow outgoing # Allow ALL outgoing connections
- Open necessary ports:
- SSH (22/TCP): Extremely important to open BEFORE enabling UFW! If you have changed the default SSH port (e.g., to 2222), open that port instead!
sudo ufw allow 22/tcp # For the default SSH port# OR, if using a non-standard port (e.g., 2222):
sudo ufw allow 2222/tcp-
- HTTP (80/TCP): For unencrypted web traffic.
sudo ufw allow 80/tcp-
- HTTPS (443/TCP): For encrypted web traffic.
sudo ufw allow 443/tcp(Additionally) If you plan to use other services (FTP, SMTP, custom ports), open them now similarly.
- Enable UFW:
sudo ufw enableConfirm the operation by pressing y. Make sure the SSH port (22 or your custom port) is open, or you will lose access!
- Check the status and rules:
sudo ufw status verboseThe output should show Status: active and the list of allowed ports (22, 80, 443/tcp).
Congratulations! You have successfully completed the initial setup of your Linux server. We chose the optimal server type (VPS/VDS) and OS (Ubuntu Server LTS), installed a minimal set of software, updated the system, created a user, set up secure SSH key-based login, disabled direct root login, synchronized the time, and configured the basic UFW firewall.
Your server is now significantly more protected against common attacks (SSH password brute-force, open port scanning).
Don't forget to regularly keep the system up to date:
sudo apt update && sudo apt upgrade -yAdditional recommendations for enhancing security:
- Fail2Ban:
- Install and configure to automatically block IP addresses making many failed login attempts (especially for SSH). (sudo apt install fail2ban).
- Automatic Security Updates:
- Set up the unattended-upgrades package for automatic installation of critical security updates. (sudo apt install unattended-upgrades and configure /etc/apt/apt.conf.d/50unattended-upgrades).
- Resource Monitoring:
- Install htop (sudo apt install htop) or glances (sudo apt install glances) for convenient monitoring of CPU, RAM, disk usage, and processes.
- Backup:
- Implement a strategy for regular backups of critical data (application files, databases, configurations)! This is not an option but a necessity.
