8 Things to do on a New Linux Server

Here are some things I do whenever I get a new Linux server (whether it is a VPS or dedicated). Most of the points are security related while the others are just there to make it more convenient to manage. This is by no means a complete list, or the most important of a very long list!

1. Change the Root Password

This is the first thing I do whenever I get a new server or reload one of my VPS. In the case of a dedicated server, the provider will usually generate a random password and send it along the activation email. On a VPS it depends on what control panel you are using, SolusVM usually saves the root password you use in the "Root Password" section of it and uses it whenever you reload a VPS in that SolusVM account.

A good password will contain a combination of numbers, letters, upper and lowercase and even symbols if you want it really difficult to guess. Be careful though, you don't want to forget the password if anything important is inside :-P! Websites such as Random.org are great for generating random passwords.

On Linux its quite simple to change your root password just enter:

passwd root

You will then be prompted to enter your new password twice.

2. Add a Non-Root User

It's good practice not to be root when whatever you need to do does not require root powers. Just about anything non-administrative can be done without root. Everything you need works only with root? No problem, set a non-root user anyways (point 4 explains why). On most Linux distributions this can be done with the adduser (Debian) or useradd (CentOS) command.

adduser user123

useradd user123

Note that depending on the operating system, the command may or may not prompt for a password to be entered for the user. If it doesn't make sure you set the password for the new user by using the passwd command (like we did in point 1):

passwd user123

3. Check for OS Updates

Checking for updates on Linux is important to ensure you have the latest patched versions of software and most importantly that the Linux kernel is up to date. The good thing about Linux is that most software updates do not require a reboot, kernel updates usually do (unless you are lucky to be using Ksplice 😉 ).

On Debian (and other Deb systems such as Ubuntu, don't forget sudo if required):

apt-get update && apt-get upgrade

On CentOS:

yum update

It might take a while if the distribution installed is not the latest and your connection is not the best out there.

4. Disable SSH Root Login

Remote shell (aka SSH) is the best way to manage your server remotely thanks to it being similar to telnet but encrypted in nature. However, it operates on a standard port (port 22) and as such becomes a target for brute force attacks. The first username they will try to exploit is root since it is most likely to have all the powers they need. It is good to disable root login, but do this ONLY if you are able to login as another user (step 2 above) as well. On Debian and CentOS the steps are the same, edit the file /etc/ssh/sshd_config, look for:

#PermitRootLogin yes

uncomment it (remove the #) and make sure it contains no:

PermitRootLogin no

Restart the SSH server (DO NOT DISCONNECT YET FROM SSH AFTER RESTARTING, depending on distribution it is one of these:

service sshd restart

service ssh restart

/etc/init.d/ssh restart

Now start a new SSH session, try to login as root. Not working? Perfect. Now login as the non-root user created above and enter the following to become root (the password is the root password):

su -

If you are in as root you may close the terminal we were working on previously, otherwise ensure you have edited the correct section of the file.

5. Change the SSH Port

Due to the reasons mentioned above, you may also change the SSH port from its default of 22 to something else. There are some situations when you do not want to change the SSH port, some firewalls are configured for port 22 and will allow connections but disallow if you use some other port (usually corporate firewalls). Once again edit /etc/ssh/sshd_config, this time look for:

Port 22

and change it to something else. It is recommended to use a port in the 49152 – 65535 range to minimize the chances of it being used by some protocol and messing up stuff. Check the following list before changing to a port out of the range mentioned.

6.Set the Timezone

This is optional. I prefer to set my servers' time zone to my location. Its easier to read the various logs when it is local to your time rather than something like UTC or the location where the server was setup in. On Debian its quite simple, enter the following command and follow the prompt:

dpkg-reconfigure tzdata

On CentOS I'm used to the following, remove the symlink to the current time zone:

rm /etc/localtime

Create a new localtime symlink but point it to a different zone, Bahrain for example, would look like:

ln -s /usr/share/zoneinfo/Asia/Bahrain /etc/localtime

7. Remove Unwanted Software

Not every server I deploy is a web server, yet Apache is running on a freshly reloaded VPS. Not every VPS I use has enough memory to run everything I wish it could ;-). As a result I usually remove stuff I don't want. What you want to remove is completely dependent on what purpose the server will serve. Assuming you wanted to remove Apache, on Debian (and other Deb) it is:

apt-get remove apache2

On CentOS:

yum remove httpd

8. Change the Message of the Day (MOTD)

This can be purely for fun and is optional. Noticed a message that pops up as soon as you login in Linux (different depending on distro)? That is the message of the day (or motd). For CentOS you edit the /etc/motd file and replace (or add) with whatever you want. On Debian edit /etc/motd.tail.

Hope you find this post helpful :-).

Leave a Reply