11.07.2025

Configuring a Linux Server from Hardware Selection to Basic Security

The first steps after receiving a server (whether it's a VPS, VDS, or dedicated) are critically important. Proper initial setup lays the foundation for the security, stability, and performance of future services. We will go through all the necessary stages in detail: from choosing the type of server and operating system to basic security configuration. By the end of this guide, you will have a minimally configured, secure server ready for the installation of a web server, database, or other necessary software.

Choosing the Server Type and Operating System

VPS, VDS, or Dedicated Server? A Brief Overview:

Conclusion for Starting Out:

Choosing a Linux Distribution:

Recommendation:

Minimal Installation of the Operating System

Most providers offer automatic OS installation through a control panel (ISPmanager, cPanel, SolusVM, Proxmox, or their own solution). If you are installing from an ISO image:

Initial Operating System Configuration (After First Login)

Log in to the server using the account created during installation via SSH (for Windows, use PuTTY or Windows Terminal; for Linux/macOS, use the built-in terminal: ssh your_user@server_ip_address).

Updating Repositories and the System:

Always update the package lists and the system first. This closes known security vulnerabilities and ensures stability.

sudo apt update && sudo apt upgrade -y

Creating and Configuring a New User (Optional but Recommended):

Although you already have a user with sudo, creating a separate user for everyday tasks is a good security practice.

sudo adduser newuser

Follow the prompts to set a password and additional information (can be left blank).

sudo usermod -aG sudo newuser

Setting Up SSH Key Authentication (Extremely Important!):

Passwords are vulnerable to brute-force attacks. Authentication via cryptographic keys is much more secure.

ssh-keygen -t ed25519 -C "your_email@example.com" # Preferred modern algorithm

# OR, if ed25519 is not supported:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Press Enter to accept the default values (files will be saved in ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub). Protect the key with a passphrase if you set one.

ssh-copy-id newuser@server_ip_address

Enter the password for the newuser on the server. The key will be added to the ~/.ssh/authorized_keys file for that user.

- If ssh-copy-id is not available: Copy the contents of the ~/.ssh/id_ed25519.pub (or id_rsa.pub) file on the client and manually add it to the ~/.ssh/authorized_keys file on the server (create the ~/.ssh directory with 700 permissions and the authorized_keys file with 600 permissions if they don't exist).

Open the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

Find and modify the directives:

PasswordAuthentication no # Disable password authentication

PermitRootLogin no # Disable root login (should already be set after Ubuntu/Debian installation, but check)

PubkeyAuthentication yes # Enable key authentication (usually 'yes' by default)

Save the file (Ctrl+O, Enter in nano). Exit (Ctrl+X).

sudo systemctl restart ssh

# OR on some systems

sudo systemctl restart sshd

Important! Do not close the current SSH session! Open a new terminal window and try logging in again. Ensure that key-based login works and the password is no longer prompted. Only then close the original session.

Configuring System Time (NTP):

Correct time is essential for logs, certificate operations (HTTPS), and application synchronization. Ubuntu/Debian uses systemd-timesyncd.

timedatectl status

Pay attention to the lines System clock synchronized: (should be yes) and NTP service: (should be active).

sudo timedatectl set-ntp on
timedatectl status
sudo apt install systemd-timesyncd

(Optional) Check which servers are used for time synchronization: timedatectl show-timesync.

Setting Up a Basic Firewall (UFW - Uncomplicated Firewall):

UFW is a simple frontend for managing the firewall over iptables/nftables.

sudo apt install ufw
sudo ufw default deny incoming # Block ALL incoming connections

sudo ufw default allow outgoing # Allow ALL outgoing connections

sudo ufw allow 22/tcp # For the default SSH port

# OR, if using a non-standard port (e.g., 2222):

sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

(Additionally) If you plan to use other services (FTP, SMTP, custom ports), open them now similarly.

sudo ufw enable

Confirm the operation by pressing y. Make sure the SSH port (22 or your custom port) is open, or you will lose access!

sudo ufw status verbose

The output should show Status: active and the list of allowed ports (22, 80, 443/tcp).

Congratulations! You have successfully completed the initial setup of your Linux server. We chose the optimal server type (VPS/VDS) and OS (Ubuntu Server LTS), installed a minimal set of software, updated the system, created a user, set up secure SSH key-based login, disabled direct root login, synchronized the time, and configured the basic UFW firewall.

Your server is now significantly more protected against common attacks (SSH password brute-force, open port scanning).

Don't forget to regularly keep the system up to date:

sudo apt update && sudo apt upgrade -y

Additional recommendations for enhancing security: