Setting Up A Fresh Linux Server

  • Published: August 25, 2018


This is a checklist to have in mind all the tasks I find useful to do after installing GNU Linux (Ubuntu) in a computer.

What steps to take after installing a fresh Linux server, mainly oriented to a developer user.

Set Timezone

dpkg-reconfigure tzdata

Set editors

Default editor

export EDITOR=vim


Create new user

Create a user with useradd with home folder (-m creates a home folder), and with bash as the default interpreter (-s sets john to use bash by default)

useradd -m -s /bin/bash john

Add user to admin group

Add john to the sudoers group.

usermod -a -G sudo john

Set new user password

Give new user a password.

passwd john

Switch to new user

Switch user to being john

su - john

Give admin permissions

john    ALL=(ALL:ALL) ALL


SSH configuration

vi /etc/ssh/sshd_config

With data:

Port 4444
PermitRootLogin no
AllowUsers john

And restart SSH

systemctl restart sshd.service

Test that you can login from your local terminal before leaving the server

netstat -a|grep 43
ssh john@myserverip -p4444

SSH config

OpenSSH client config file to create shortcuts for accessing the server from another computer.

The place to save custom ports and hostname so you can access with “ssh foo” from client.

vi ~/.ssh/config

With data:

Host server1
     User john
     Port 4444

Now test login:

ssh server1

Copying the public key of your default identity to a remote host Public key should have been generated before with ssh-keygen Copy public key file to server

ssh-copy-id user@server1

In server

chmod 700 .ssh/authorized_keys

Enable firewall

If running ufw firewall, enable the above port

grep -i "port" /etc/ssh/sshd_config

And enable it in ufw

sudo ufw allow 4444


Prevent SSH bruteforce attacks with Fail2ban

sudo apt-get update -y
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

In [ssh] section, configure the port used by SSH daemon

enabled = true
filter = sshd
maxretry = 6

Check if your SSH-jail is setup:

sudo fail2ban-client status
systemctl enable fail2ban
systemctl restart fail2ban

Now fail2ban rules will appear at sudo iptables -L

If it is not logging:


Enable Uncomplicated FireWall UFW:

Turn on

Turn firewall on with the default set of rules:

sudo ufw enable

And check the status:

sudo ufw status verbose

Allow and deny ports

sudo ufw allow / sudo ufw deny /

List profiles

sudo ufw app list

Web servers



sudo apt install nginx

Add to firewall

List the profiles that ufw firewall has:

sudo ufw app list

So it shows three profiles for nginx:

  • Nginx Full: Opens both port 80 and 443 (TLS/SSL encrypted traffic)
  • Nginx HTTP: Opens only port 80
  • Nginx HTTPS: Opens only port 443 (TLS/SSL encrypted traffic)

then we choose one and allows it:

sudo ufw allow 'Nginx HTTP'

To check it has been added: ufw status

Use systemctl

Check nginx is running: systemctl status nginx.

Useful commands:

sudo systemctl stop nginx
sudo systemctl start nginx
sudo systemctl restart nginx
sudo systemctl reload nginx

Server Blocks

For each website you will want nginx to serve, you need to define a server block (in Apache this is known as Virtual Hosts).

Create the directory to hold the website:

sudo mkdir -p /var/www/

Fix permissions to your user:

sudo chown -R $USER:$USER /var/www/

And copy your website to /var/www/

New site

Create a new site at /etc/nginx/sites-available/ with the following content:

server {
        listen 80;
        listen [::]:80;

        root /var/www/;
        index index.html index.htm index.nginx-debian.html;
		error_page 404 errors/404.html;


        location / {
                try_files $uri $uri/ =404;

And enable it:

sudo ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

Test configuration is ok:

sudo nginx -t

And load the new configuration

sudo systemctl reload nginx


Setting up a git server

Git server

Hostname & FQND

Marcelo Canina
I'm Marcelo Canina, a developer from Uruguay. I build websites and web-based applications from the ground up and share what I learn here.
comments powered by Disqus
Except as otherwise noted, the content of this page is licensed under CC BY-NC-ND 4.0 ·