There are a number of posts on the internet about what to do in the first 10 minutes of spinning up a new server. It seems like every time I would bring up a new instance for a new project I would use a different variation from one of those posts, so I decided to write my own that I can reference whenever I need to.
Here’s what I do in the first 10 minutes of spinning up a new server. This assumes you’re running Ubuntu.
Make sure you’re on the most up to date packages.
apt-get update && apt-get upgrade -y
Add a new user. You don’t want to run your application as root.
useradd deploy mkdir /home/deploy mkdir /home/deploy/.ssh chmod 700 /home/deploy/.ssh usermod -s /bin/bash deploy
Add an SSH key for your new user. We will be disabling the ability to login using passwords in a bit so you’ll need to use SSH keys instead.
vim /home/deploy/.ssh/authorized_keys
Add the contents of your public SSH key to this file and save it.
chmod 400 /home/deploy/.ssh/authorized_keys chown deploy:deploy /home/deploy -R
Before we can disable password logins, we should confirm that we are able to SSH in to the server using the SSH key we just added. Open up a new terminal window. You want to keep your current session open so that we are still able to access the server if SSH isn’t working.
Set a new password for the deploy user. This will be the password you’ll enter when running sudo as the new deploy user. Make sure to save this in your password manager.
passwd deploy
Add the deploy user to the list of sudoers
visudo
Add your deploy user under the root user
root ALL=(ALL) ALL deploy ALL=(ALL) ALL
Lock down SSH. We don’t want to allow anyone to log in as the root user, and we want to force all users to log in via SSH keys instead of passwords
vim /etc/ssh/sshd_config
Then make sure these lines are configured to look like this
PermitRootLogin no PasswordAuthentication no
Finally, restart SSH so the changes take effect.
service ssh restart
Set up the firewall
ufw allow 22 ufw allow 80 ufw allow 443 ufw disable ufw enable ufw status verbose
Install automatic security updates
apt-get install unattended-upgrades
Then update the configuration.
vim /etc/apt/apt.conf.d/10periodic
Update the file to look like this:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
One more config file to edit:
vim /etc/apt/apt.conf.d/50unattended-upgrades
Make sure it looks like this:
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; // Extended Security Maintenance; doesn't necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security"; // "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; };
We’re done with the security side of things, now let’s install tools we’ll want to use. First, we’ll install docker and docker-compose
curl -sSL https://get.docker.com/ | sh usermod -aG docker deploy
Then docker-compose
curl -L https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
You can find the latest version on their release notes page.