There are a number of posts on the internet about what to do in the first 10 minutes of spinning up a new server. It seems like every time I would bring up a new instance for a new project I would use a different variation from one of those posts, so I decided to write my own that I can reference whenever I need to.

Here’s what I do in the first 10 minutes of spinning up a new server. This assumes you’re running Ubuntu.

1. Make sure you’re on the most up to date packages.

   apt-get update && apt-get upgrade -y
   

2. Add a new user. You don’t want to run your application as root.

   useradd deploy
   mkdir /home/deploy
   mkdir /home/deploy/.ssh
   chmod 700 /home/deploy/.ssh
   usermod -s /bin/bash deploy  
   

3. Add an SSH key for your new user. We will be disabling the ability to login using passwords in a bit so you’ll need to use SSH keys instead.

   vim /home/deploy/.ssh/authorized_keys
   

   Add the contents of your public SSH key to this file and save it.

   chmod 400 /home/deploy/.ssh/authorized_keys
   chown deploy:deploy /home/deploy -R
   

   Before we can disable password logins, we should confirm that we are able to SSH in to the server using the SSH key we just added. Open up a new terminal window. You want to keep your current session open so that we are still able to access the server if SSH isn’t working.

4. Set a new password for the deploy user. This will be the password you’ll enter when running sudo as the new deploy user. Make sure to save this in your password manager.

   passwd deploy
   

5. Add the deploy user to the list of sudoers

   visudo
   

   Add your deploy user under the root user

   root    ALL=(ALL) ALL
   deploy  ALL=(ALL) ALL
   

6. Lock down SSH. We don’t want to allow anyone to log in as the root user, and we want to force all users to log in via SSH keys instead of passwords

   vim /etc/ssh/sshd_config
   

   Then make sure these lines are configured to look like this

   PermitRootLogin no
   PasswordAuthentication no
   

   Finally, restart SSH so the changes take effect.

   service ssh restart
   

7. Set up the firewall

   ufw allow 22
   ufw allow 80
   ufw allow 443
   ufw disable
   ufw enable
   ufw status verbose
   

8. Install automatic security updates

   apt-get install unattended-upgrades
   

   Then update the configuration.

   vim /etc/apt/apt.conf.d/10periodic
   

   Update the file to look like this:

   APT::Periodic::Update-Package-Lists "1";
   APT::Periodic::Download-Upgradeable-Packages "1";
   APT::Periodic::AutocleanInterval "7";
   APT::Periodic::Unattended-Upgrade "1";
   

   One more config file to edit:

   vim /etc/apt/apt.conf.d/50unattended-upgrades
   

   Make sure it looks like this:

   Unattended-Upgrade::Allowed-Origins {
       "${distro_id}:${distro_codename}";
       "${distro_id}:${distro_codename}-security";
       // Extended Security Maintenance; doesn't necessarily exist for
       // every release and this system may not have it installed, but if
       // available, the policy for updates is such that unattended-upgrades
       // should also install from here by default.
       "${distro_id}ESMApps:${distro_codename}-apps-security";
       "${distro_id}ESM:${distro_codename}-infra-security";
       // "${distro_id}:${distro_codename}-updates";
       // "${distro_id}:${distro_codename}-proposed";
       // "${distro_id}:${distro_codename}-backports";
   };
   

9. We’re done with the security side of things, now let’s install tools we’ll want to use. First, we’ll install docker and docker-compose

   curl -sSL https://get.docker.com/ | sh
   usermod -aG docker deploy
   

   Then docker-compose

   curl -L https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
   chmod +x /usr/local/bin/docker-compose
   

   You can find the latest version on their release notes page.