{"id":8025,"date":"2025-03-19T06:45:26","date_gmt":"2025-03-19T06:45:26","guid":{"rendered":"https:\/\/cloudvpshosts.com\/kb\/?p=8025"},"modified":"2025-03-19T10:33:06","modified_gmt":"2025-03-19T10:33:06","slug":"initial-server-setup-with-ubuntu-20-04-18-04","status":"publish","type":"post","link":"https:\/\/cloudvpshosts.com\/kb\/initial-server-setup-with-ubuntu-20-04-18-04\/","title":{"rendered":"Initial Server Setup with Ubuntu 20.04 \/ 18.04"},"content":{"rendered":"<div id=\":ng\" class=\"Am aiL Al editable LW-avf tS-tW tS-tY\" tabindex=\"1\" role=\"textbox\" contenteditable=\"true\" spellcheck=\"false\" aria-label=\"Message Body\" aria-multiline=\"true\" aria-owns=\":102\" aria-controls=\":102\" aria-expanded=\"false\">\n<div dir=\"ltr\">\n<div dir=\"ltr\">\n<div>\n<h2 id=\"m_-2460453458689302787gmail-introduction\">Introduction<\/h2>\n<p>In this tutorial you will learn how to setup a server for the first time on Ubuntu 20.04 \/ 18.04. This will include basic configurations, such as creating a sudo user and setting up a first firewall.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ci3.googleusercontent.com\/meips\/ADKq_NYfUCU8IWGnshOsSOD8tcmNpkK9Cwm5zq8G0pVywPAS31t_FEeQjQclwBrDCKhlP8VQj1opqdzvUBmeSKyevOssQOXMTQ4m_onvfXbp0gfqm6z0zDeK_65M1bFjfKSqLqYtuvrPkA=s0-d-e1-ft#https:\/\/community.hetzner.com\/2c16e85064bf2f5c9f47f6955e875044\/initial-setup.gif\" alt=\"initial-setup\" \/>Prerequisites<\/p>\n<ul>\n<li>Basic knowledge about the CVH VPS\n<ul>\n<li>We assume that you know what a server is.<\/li>\n<li>We assume that you know your IP address and your root login.<\/li>\n<\/ul>\n<\/li>\n<li>CLI tool<\/li>\n<\/ul>\n<p>Example terminology<\/p>\n<ul>\n<li>Username: holu<\/li>\n<li>IPv4: &lt;10.0.0.1&gt;<\/li>\n<\/ul>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with an own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address in all example commands.<\/p>\n<h2 id=\"m_-2460453458689302787gmail-step-1---connecting-to-the-server\">Step 1 \u2013 Connecting to the server<\/h2>\n<p>Connect to your server as root user.<\/p>\n<pre><code>$ ssh root@&lt;10.0.0.1&gt;<\/code><\/pre>\n<p>Please replace\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address. If there is a warning about\u00a0<i>host authenticity<\/i>, you can enter\u00a0<i>yes<\/i>. The ssh command will save the fingerprint shown in the warning in the file\u00a0<code>~\/.ssh\/known_hosts<\/code>\u00a0and automatically recognize it in the future.<\/p>\n<p>If you are using an SSH key and you have not set a password, you will automatically be connected. If you have set a password, please enter it now. The first time you login into your server via root you will be asked to change your password.<\/p>\n<h2 id=\"m_-2460453458689302787gmail-step-2---creating-a-new-user\">Step 2 \u2013 Creating a new user<\/h2>\n<p>In a Linux environment, root users are automatically given all administrative privileges, allowing them to unrestrictedly execute any command on the server. This can lead to accidental or unintentional changes. Creating a new user with sudo privileges can prevent such mistakes from happening. Sudo users have the same privileges as root but they need to add\u00a0<code>sudo<\/code>\u00a0in front of any administrative command. This extra step helps prevent accidental changes. First, create a new user with the following command:<\/p>\n<pre><code># adduser holu<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with an own username. Next, determine a password for the new user. You will also be given the option to add personal information. If you do not want do provide any information, you can simply skip it by pressing\u00a0<code>ENTER<\/code>.<\/p>\n<p>If you are not the only user on this server, you can use the\u00a0<code>adduser<\/code>\u00a0command again to create more users. This way you will not have to share your login data and, additionally, those people will not have any administrative privileges. For your own user, you can enable administrative privileges by adding the user to the sudo group as described in the next step.<\/p>\n<p>You can always use\u00a0<code>getent<\/code>\u00a0to display all users that have been added to the server. If everything worked well, your new user should now be listed there.<\/p>\n<pre><code># getent passwd {1000..60000} | cut -d: -f1<\/code><\/pre>\n<ul>\n<li><code>{1000..60000}<\/code>: Each user has a specific ID called UID. In the Linux environment, the UID of normal users should be somewhere between 1000 and 60000.<\/li>\n<li><code>cut -d: -f1<\/code>: Next to the username, the getent command can also display additional information, such as user ID, group ID and more.<br \/>\n<code>username:password:uid:gid:<wbr \/>gecos:home:shell<\/code><br \/>\nWe only need the username from the first field, so we cut it down to f1.<\/li>\n<\/ul>\n<h2 id=\"m_-2460453458689302787gmail-step-3---giving-a-user-administrative-privileges\">Step 3 \u2013 Giving a user administrative privileges<\/h2>\n<p>You might not want to change accounts any time an administrative command is required, so it makes sense to enable the new user to use those commands too. This can be done by adding the user to the sudo group, which only a root user can do. You are still connected to your server as root, so simply enter the following command:<\/p>\n<pre><code># usermod -aG sudo holu<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with the username you specified in\u00a0step 2\u00a0for your new user.<\/p>\n<p>You can always use\u00a0<code>getent<\/code>\u00a0to display all users that have been added to the sudo group. If everything worked well, your new user should now be listed there.<\/p>\n<pre><code># getent group sudo | cut -d: -f4<\/code><\/pre>\n<ul>\n<li><code>group sudo<\/code>: This time we want to display all users that are in the sudo group.<\/li>\n<li><code>cut -d: -f4<\/code>: Next to the username, the getent command can also display additional information, such as the group, the group ID and more.<br \/>\n<code>group:password:GID:username(s)<\/code><wbr \/><br \/>\nWe only need the username(s) from the forth field, so we cut it down to f4.<\/li>\n<\/ul>\n<h2 id=\"m_-2460453458689302787gmail-step-4---authentication\">Step 4 \u2013 Authentication<\/h2>\n<p>To authenticate on your server, you can either use a password or an SSH key. One of the advantages of an SSH key is that it is more secure than passwords. The tutorial\u00a0<a href=\"https:\/\/community.hetzner.com\/tutorials\/howto-ssh-key\" target=\"_blank\" rel=\"noreferrer noopener\" data-saferedirecturl=\"https:\/\/www.google.com\/url?q=https:\/\/community.hetzner.com\/tutorials\/howto-ssh-key&amp;source=gmail&amp;ust=1742224661361000&amp;usg=AOvVaw0wJvIQn5_d9tLPCNdsfJYM\">Setting up an SSH key<\/a>\u00a0explains how to generate an SSH key pair and how to copy the public key to a remote device. If you do not have an SSH key, you can use the above-linked tutorial to generate one or you can keep your password and skip to\u00a0step 5. If you already have an SSH key, you can now add the key to the files of your new user. There are four ways described in the above-mentioned tutorial. In general, you can either copy and paste your SSH key from your local device to the new user on your server or you can copy and paste all SSH keys from your root user to another user on the same server.<\/p>\n<ul>\n<li>Local deviceWhen you generate an SSH key, it is always saved locally. For this reason, you have to be on your local device to copy the SSH key. Open a second window in your CLI and use it to execute the following command\u00a0on your local device:<code>$ ssh-copy-id holu@&lt;10.0.0.1&gt;<\/code>Please replace\u00a0<code>holu<\/code>\u00a0with your own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address.If you have more than one SSH key on your local device, you should specify the file name of the SSH key you would like to add to the new user:<code>$ ssh-copy-id -i ~\/.ssh\/id_&lt;type&gt;.pub holu@&lt;10.0.0.1&gt;<\/code>Please replace\u00a0<code>holu<\/code>\u00a0with your own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address. Also,\u00a0<code>&lt;type&gt;<\/code>\u00a0needs to be replaced with the actual type of your SSH key in order to match the file name the local device is supposed to copy the public SSH key from. In case you are not sure about the correct name of the file, you can use\u00a0<code>ls ~\/.ssh<\/code>\u00a0to list all files that are saved in the ssh folder. One of those files should be named like this\u00a0<code>id_&lt;type&gt;.pub<\/code>. After the SSH key has been added to the new user, you can close the second CLI window and go back to the first window where your root user should still be connected to the server.<\/li>\n<li>Root userThe approach shown above simply imports the SSH key from your local device to the\u00a0<code>authorized_keys<\/code>\u00a0file of the new user. If you have been using your root user for a while now and there is already a lot of data in the\u00a0<code>.ssh<\/code>\u00a0folder that you would like to keep, you can also copy the whole\u00a0<code>.ssh<\/code>\u00a0folder from your root user to your new user with the following command:<code># rsync --archive --chown=holu:holu ~\/.ssh \/home\/holu<\/code>Please replace\u00a0<code>holu<\/code>\u00a0with your own username. This command automatically modifies the file owner. Please ensure that\u00a0<code>~\/.ssh<\/code>\u00a0does\u00a0not\u00a0end with a trailing slash\u00a0<del><code>~\/.ssh\/<\/code><\/del>\u00a0or otherwise this command will not work properly.<\/li>\n<\/ul>\n<p>If SSH keys are the only form of authentication that you are using, you can disable password authentication on your server. This will make your server more secure. You can do this in the final\u00a0step 7\u00a0after you finished setting up the new user.<\/p>\n<h2 id=\"m_-2460453458689302787gmail-step-5---testing-login-with-the-new-user\">Step 5 \u2013 Testing login with the new user<\/h2>\n<p>Now that everything is set, you can test logging in with your new user and using sudo permissions. Open a second CLI window. In\u00a0step 1, you have already connected to your server as root user. The word in front of the @ character specifies the user that will be used to connect to the server. This time, we will replace\u00a0<code>root<\/code>\u00a0with the user created in\u00a0step 2. In this example, this would be\u00a0<code>holu<\/code>.<\/p>\n<pre><code>$ ssh holu@&lt;10.0.0.1&gt;<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with your own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address.<\/p>\n<p>Once you are connected to your server, you can test the sudo permissions. The command\u00a0<code>man sudo<\/code>\u00a0will display a list of possible sudo commands. For our testing purposes it will be enough to use a simple\u00a0<code>su<\/code>\u00a0command (substitute user) to switch to the root user.<\/p>\n<pre><code>$ sudo su - root<\/code><\/pre>\n<p>Whenever you are using\u00a0<code>sudo<\/code>\u00a0for the first time after you have logged in or after you have not used it for a while, you will be asked to enter your password. If switching to the root user worked, you can now switch back to your new user.<\/p>\n<pre><code># exit<\/code><\/pre>\n<h2 id=\"m_-2460453458689302787gmail-step-6---setting-up-a-firewall\">Step 6 \u2013 Setting up a firewall<\/h2>\n<p>A firewall is used to protect servers by monitoring incoming and outgoing network traffic. This means that a firewall improves your servers\u2019 security. You can use the Hetzner Cloud Firewall or UFW (uncomplicated firewall), for example. However, it is best to use one firewall only. Otherwise, there could be a conflict with the rules set for the different firewalls.<\/p>\n<p>In this example, we will use UFW. UFW is the default firewall configuration tool for Ubuntu.<\/p>\n<p>To work with UFW, you will need administrative permissions. This means that you can only use your new user with sudo permissions or the root user to configure the firewall. If you use the root user, you can drop the\u00a0<code>sudo<\/code>\u00a0in the following commands.<\/p>\n<ul>\n<li>Allowing SSH connectionsUFW can be used to manage packages by name. The following command will display all packages installed:<code>$ sudo ufw app list<\/code>OpenSSH\u00a0should be listed in the output:<code>Available applications: OpenSSH<\/code>If new packages are installed, they will also be added to this list. Packages that are listed, are not automatically allowed by the firewall. Once the firewall is active, it will block all incoming traffic and allow all outgoing traffic by default. We are connected to the server via SSH. In order to ensure that we can still connect to the server after the firewall has been activated, we will now allow OpenSSH and therefore SSH connections.<code>$ sudo ufw allow OpenSSH<\/code>The output should confirm that the rules have been changed:<code>Rules updated Rules updated (v6)<\/code><\/li>\n<li>Enabling the firewallNow that OpenSSH is allowed, we can activate the firewall:<code>$ sudo ufw enable<\/code>If there is a warning such as\u00a0<code>Command may disrupt existing ssh connections<\/code>, you can enter\u00a0<code>y<\/code>. We used the command above to set our first firewall rule and allow SSH connections, so this should not affect you.<\/li>\n<li>Checking the firewall statusNext, we can check the firewall status to see if everything worked.<code>$ sudo ufw status<\/code>The firewall should now be\u00a0<code>active<\/code>. Next to OpenSSH it should state\u00a0<code>ALLOW<\/code>:<code>Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6)<\/code><\/li>\n<\/ul>\n<h2 id=\"m_-2460453458689302787gmail-step-7---deactivating-root-login\">Step 7 \u2013 Deactivating root login<\/h2>\n<p>By default, every Linux server has a root user, making it an easy target for hackers. To protect your server from such attacks, it makes sense to deactivate root login. The connection to the server is established via SSH, so you will need to open the SSH configuration file. Only root users and users with sudo permissions can modify this file. Before you disable root login, make sure that you have access to the server with your new user and that the sudo permissions are working. Otherwise, you will not be able to enable root login again. Now use\u00a0<code>nano<\/code>\u00a0to open the file:<\/p>\n<pre><code>$ sudo nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n<p>You can use the arrows on your keyboard to navigate through the file.<\/p>\n<ul>\n<li>Deactivating root loginLook for the\u00a0<code>PermitRootLogin<\/code>\u00a0line:<code>Permi<wbr \/>tRootLogin no<\/code>Replace the\u00a0<i>yes<\/i>\u00a0with a\u00a0<i>no<\/i>\u00a0and remove the hash symbol (#) if the line begins with one.<\/li>\n<li>Deactivating password authentication,If you are using an SSH key for authentication, you can now also disable password authentication. Look for the\u00a0<code>PasswordAuthentication<\/code>\u00a0<wbr \/>line:<code>PasswordAuthentication no<\/code>Remove the hash symbol (#) if the line begins with one and replace the\u00a0<i>yes<\/i>\u00a0with a\u00a0<i>no<\/i>. Do not disable password authentication, if you are using a password to connect to your server. Otherwise, you will no longer be able to connect to your server.<\/li>\n<\/ul>\n<p>Use\u00a0<code>CTRL<\/code>+<code>X<\/code>\u00a0to save the file,\u00a0<code>Y<\/code>\u00a0to confirm and\u00a0<code>ENTER<\/code>\u00a0to close the file. Now use the following command to restart SSH:<\/p>\n<pre><code>sudo systemctl restart sshd<\/code><\/pre>\n<p>Root login and password authentication are now both disabled on this server. You can use the same commands to reset these settings. This time, replace\u00a0<code>no<\/code>\u00a0with a\u00a0<code>yes<\/code>. Keep in mind that only sudo users have permission to do so.<\/p>\n<h2 id=\"m_-2460453458689302787gmail-conclusion\">Conclusion<\/h2>\n<p>In the previous steps you learned how to create a new user, add the new user to the sudo group, connect to your server with the new user, set up a firewall and access the SSH configuration file. Next, you can continue configuring the\u00a0<a href=\"https:\/\/community.hetzner.com\/tutorials\/simple-firewall-management-with-ufw\" target=\"_blank\" rel=\"noreferrer noopener\" data-saferedirecturl=\"https:\/\/www.google.com\/url?q=https:\/\/community.hetzner.com\/tutorials\/simple-firewall-management-with-ufw&amp;source=gmail&amp;ust=1742224661361000&amp;usg=AOvVaw0XsjnA3X954xDRm3fbD3P1\">UFW firewall<\/a>\u00a0or further secure the\u00a0<a href=\"https:\/\/community.hetzner.com\/tutorials\/securing-ssh\" target=\"_blank\" rel=\"noreferrer noopener\" data-saferedirecturl=\"https:\/\/www.google.com\/url?q=https:\/\/community.hetzner.com\/tutorials\/securing-ssh&amp;source=gmail&amp;ust=1742224661361000&amp;usg=AOvVaw3HaGY2p__qwb9Po5Uwme23\">SSH service<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction In this tutorial you will learn how to setup a server for the first time on Ubuntu 20.04 \/ 18.04. This will include basic configurations, such as creating a sudo user and setting up a first firewall. Prerequisites Basic knowledge about the CVH VPS We assume that you know what a server is. We [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8029,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[228,226,227],"class_list":["post-8025","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-dedicated-server","tag-linux","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/posts\/8025","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/comments?post=8025"}],"version-history":[{"count":1,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/posts\/8025\/revisions"}],"predecessor-version":[{"id":8026,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/posts\/8025\/revisions\/8026"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/media\/8029"}],"wp:attachment":[{"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/media?parent=8025"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/categories?post=8025"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/tags?post=8025"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}