Linux Server Setup Last updated: 2022.04.25


Debian 11, Debian 10, Debian 9

Ubuntu 20.04, Ubuntu 18.04

After installing Debian or Ubuntu Server, there are some initial configuration tasks you should complete to create a solid framework for your given application.


  • Debian or Ubuntu installation completed.
  • Logged in as root user.
  • User hedy is used as example in this bit.

Update & Upgrade

Before getting started, run an obligatory system update. This will make sure you have the latest updates and patches for all installed packages.

apt update && apt upgrade
  • apt update downloads updated package information from all the configured repositories on your system.
  • apt upgrade upgrades all installed packages to the most recent versions available.

You may also run the command apt autoremove to uninstall any package dependencies that are no longer needed.

Create Non-Root User

After server installation, you should create a non-root, administrative, sudo user for everyday use. A sudo user allows you to execute commands with root privileges only when necessary, helping avoid detrimental mistakes and increasing security.


Debian may not have the sudo package installed by default. This can be remedied quickly with the following.

apt install sudo

Create User

Start by adding a new user to your system.

adduser hedy

Create a strong password for the new user when prompted. After creating the user password you will be asked for some optional user information (name, email, etc).

Add Sudo Group

Add the newly created user to the sudo group, granting them administrative privileges.

usermod -aG sudo hedy

After adding the user to the group, you will be able to execute a given command with root privileges by prefacing it with sudo.

Limit SU Access

The substitute user command is used to switch to a different system user. Switch over to the non-root user for continued system configuration.

su - hedy

Usage of the su command allows users to gain the privileges of another system user. To prevent any abuse of this, limit which users can utilize this command.

Create a new system group and add your administrative user to the group.

sudo groupadd suallow && sudo usermod -aG suallow hedy

Limit su command usage to the root user and suallow group.

sudo dpkg-statoverride --update --add root suallow 4750 /bin/su
  • dpkg-statoverride tells dpkg (debian package manager) to use different ownership/permissions for a given directory.

Firewall Setup

A firewall is your first line of defense against a malicious third-party. You should only allow connections on the ports you need for the services your server is serving. Common ports include: 22 (SSH), 80 (HTTP), 443 (HTTPS).

UFW (Uncomplicated Firewall)

UFW is an easy-to-use program for creating firewall rules. You may choose to use iptables instead, but that is outside the scope of this bit.

Install UFW on the server if not already present.

sudo apt install ufw

You are likely connecting to your server remotely using SSH (Secure Shell), before enabling the firewall be sure to allow connections to the SSH port - 22 by default.

sudo ufw allow 22/tcp

Enable the firewall to start enforcing the created rules. All incoming connections that aren’t explicitly allowed in the firewall will be denied.

sudo ufw enable

Check the firewall status to see what connections are currently being accepted.

sudo ufw status

The output of this command should look similar to the following.

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

Setup SSH

OpenSSH is presumably already installed on your server, but it can be installed with the following command if necessary.

sudo apt install openssh-server

OpenSSH Config

To best secure SSH access to your server, there are a few changes and additions you should make to your OpenSSH config file. Open the /etc/ssh/sshd_config file in your text editor of choice.

sudo nano /etc/ssh/sshd_config

Some of the following configuration options may be commented out by default with the pound sign (#). You must uncomment any changed settings by removing the pound sign (#) from the beginning of the line.

Below the port and listen address definitions, specify the more secure SSH protocol, version 2, for incoming connections.

Protocol 2

Disable SSH logins as the root user.

PermitRootLogin no

Limit the maximum number of login attempts for a single session.

MaxAuthTries 3

Enable client inactivity disconnection. This will automatically disconnect any SSH connections that have been inactive for a specified amount of time (in seconds).

# 15 Minutes
ClientAliveInterval 300
ClientAliveCountMax 3

At the end of the configuration file, specify which users are allowed to login via SSH. You should only your administrative user(s) this option.

# Allowed Users
AllowUsers hedy

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd

Login Banner

The login banner presents a warning to any users who attempts to connect via SSH. While this provides no direct security benefit, it can act as a deterrent by notifying users that connections are monitored.

Open the /etc/ file in your text editor of choice.

sudo nano /etc/

Populate the file with your desired login banner text. An example is provided below.

*                  AUTHORIZED ACCESS ONLY                  *
*              UNAUTHORIZED ACCESS PROHIBITED              *
*                                                          *
*         All connections are logged and monitored         *
* Disconnect IMMEDIATELY if you are not an authorized user *
*                                                          *
*                Thank you, have a nice day :)             *

Enable the login banner in the OpenSSH config file.

sudo nano /etc/ssh/sshd_config

Search for the the text #Banner none in the file, uncomment the line, and specify the banner’s file path.

Banner /etc/

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd


Fail2ban is an intrusion prevention software that protects your server from brute-force attacks. Fail2ban monitors log files for configured patterns of malicious activity. We will set it up to monitor the auth.log file for failed SSH password attempts. After a specified number of failed login attempts, from a single IP address in a given time period, the IP address will be banned from making anymore connections.

Install fail2ban.

sudo apt install fail2ban

Create a fail2ban configuration file to monitor SSH connection attempts.

sudo nano /etc/fail2ban/jail.local

In the file, specify the following configuration. This configuration will ban any IP address that makes 3 failed login attempts in 30 minutes for 25 hours. If you changed your SSH port, make sure you specify that port here.

enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# 30 minute findtime
findtime = 1800
# 25 hour ban
bantime = 90000

Restart the fail2ban service for changes to take effect.

sudo systemctl restart fail2ban