This article will cover the installation of Ubuntu Linux (7.10) on a Linode VPS with startup management tasks, ip tables firewalling, and basic server security techniques. This article assumes you are using a linux machine locally as well, but for the majority you are using a simple ssh client, web browser, and an editor - so adapt these to your local configuration.

Note: While these instructions are for a VPS within Linode, they are essentially the same for any hosting company/distribution with the exception of some differences between debian based linux systems and redhat based ones (apt-get vs. yum, etc.).

If you don’t have a dedicated server, or a VPS, we often recommend Linode as your hosting company. Their support is quite good and their offerings are well through through. There are a vast number of hosting companies, but in our opinion Linode is one of the best.

1. Install Ubuntu 7.10 on linode (through the dashboard system, very easy…)

2. While waiting clear your local ssh known_hosts (if necessary, reinstall, etc.)
nano ~/.ssh/known_hosts  (remove all references to vps ip)

3. ssh in as your linode account to lish on your host and then login to your linode as root or for non linode customers (or linode users alternatively)
ssh root@yourip   -- then change your pass
passwd

4. Create a new account (so you are not logging in as root)
adduser username

5. Grant new user su privileges
visudo  (at the end of the file add:)
username ALL=(ALL) ALL

6. Login & Set Hostname:
/bin/hostname yourhostname.com
echo yourhostname.com > /etc/hostname

This next section will setup SSH encryption between your local computer(s) and your server. These steps essentially disallow any logins besides those coming from a machine with your SSH key. If you need to travel from computer to computer you will need to perform these steps on all the computers you use. On linode (and other hosts) you can always login through the web interface provided through the dashboard management system.

Set up correctly, these steps stop any number of security attacks from randomly guessing the root password, etc. It enables a fairly high level of initial security.

7. SSH Keygen public/private key (stop logins with just a password)
On Local Machine:
mkdir ~/.ssh
ssh-keygen -t rsa (this makes 2 files - id_rsa.pub (public key) - id_rsa (private key)
Copy public key to Linode:
scp ~/.ssh/id_rsa.pub username@ip:/home/username/
On Your Linode VPS:
mkdir /home/username/.ssh
mv /home/username/id_rsa.pub /home/username/.ssh/authorized_keys
Permissions:
chown -R username:usergroup /home/username/.ssh
chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys

8. SSH config
nano /etc/ssh/sshd_config
Change SSH Port to something (i.e. 30100, 30211, anything high really)
Protocol 2
PermitRootLogin no
Unpound AuthorizedKeyFiles...
PasswordAuthentication no
X11Forwarding no
UsePAM no
UseDNS no
AllUsers username

This next section runs through a basic configuration of the IP Tables Firewall system. There are many other helper applications for establishing a firewall on a linux machine, but doing it by hand helps people to understand the concepts involved.

9. Firewall setup (iptables)
iptables-save > /etc/iptables.up.rules
iptables -L
nano /etc/iptables.test.rules config below:

Below is a basic IP Tables Configuration File that locks nearly everything down. As you add services you can open required ports for traffic, but for most people this configuration will meet all their needs.

++++Begin File++++

*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

++++End File++++

10. Store new IP Tables Information
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules

11. Ensure iptables loads at startup
nano /etc/network/interfaces
after iface…
pre-up iptables-restore < /etc/iptables.up.rules

12. Test connections (don’t logout yet!)
/etc/init.d/ssh reload
From a new local terminal test ssh:
ssh -P portyouset username@yourip

13. Set Locale
sudo locale-gen en_US.UTF-8
sudo /usr/sbin/update-locale LANG=en_US.UTF-8

14. Reboot and login as your newuser via the ssh command:
ssh -P portyouset username@yourip

Now that you have established your ssh keys and a connection and locked down the majority of the open ports on the computer you can setup your local environment. These can be changed according to your needs - just a basic setup that many people will find satisfactory.

15. Configure your local environment

nano ~/.bashrc
  export PS1='[�33[0;32m]h[�33[0;36m] w[�33[00m]: '
  alias dir="ls -lartF"
  alias free="free -m"
  alias update="sudo aptitude update"
  alias install="sudo aptitude install"
  alias upgrade="sudo aptitude safe-upgrade"
  alias remove="sudo aptitude remove"

16. Get Your Ubuntu Server up to date

  sudo nano /etc/apt/sources.list
  enable all repositories
  sudo aptitude update
  sudo aptitude safe-upgrade
  sudo aptitude full-upgrade

Finally install the build essentials package which has the tools necessary to install apache, mysql, and other applications you are going to install on your server.

17. Install build essentials
sudo aptitude install build-essential