Skip to content

Setup a new Linux server after buying from an external provider

If you have bought a server from an external provider, usually it's not following the Linux authentication best practices. You need to set it up properly before hosting services on it.

Preparation

Check the server layout

After buying a new server, at least you need to understand the server layout. Including the CPU, memory, disk, and network. You can check the server layout by running:

Check the server layout
Green="\033[32m"
Blue="\033[36m"
Font="\033[0m"
OK="${Green}[  OK  ]${Font}"
function print() {
  echo -e "${OK} ${Blue} $1 ${Font}"
}

print "OS information"
sudo lsb_release -a
print "OS install date"
stat -c %w /
print "Secure Boot status"
sudo mokutil --sb-state
print "Root file system"
sudo df -Th /
print "Boot mode"
if [ -d /sys/firmware/efi ]; then echo "Boot mode: UEFI"; else echo "Boot mode: Legacy"; fi
print "CPU information"
sudo lscpu
print "PCIE information"
sudo lspci
print "USB information"
sudo lsusb
print "Disk layout"
sudo lsblk
print "All disks information"
sudo fdisk -l
print "Disk usage"
sudo df -Th
print "Memory information"
sudo free -h
print "Network information"
sudo ip link show
print "Firewall status"
sudo ufw status
print "Network location"
curl https://ipinfo.io

Authentication

Connect to the server

After buying a server, it will provide you:

  • IP address
  • Username (Usually root)
  • Password

So you can connect to the server using SSH. For example:

Connect to the server (Run on your local machine)
ssh default-user-name@your-server-ip

Change hostname

By default, the hostname of the server is usually not set properly. You can change it by running:

Change hostname
sudo hostnamectl set-hostname your-hostname
sudo reboot

Only limited characters are allowed

The hostname can only contain letters, numbers, and hyphens. It cannot start or end with a hyphen. It cannot contain spaces or special characters like underscores.

For example, your-hostname is a valid hostname, but your-hostname- is not. For example, your-hostname is a valid hostname, but your_hostname is not.

You also need to update /etc/hosts to add the new hostname as 127.0.0.1:

Update /etc/hosts
sudo vim /etc/hosts

Inside the /etc/hosts file, add the new hostname as 127.0.0.1, like this:

Update /etc/hosts
127.0.0.1   localhost
127.0.1.1   your-hostname

Make sure to replace your-hostname with the actual hostname you set using the hostnamectl command. Save and close the file.

Use the vim editor

To start editing the file in vim, you can press i to enter insert mode. You can use the arrow keys to navigate and edit the file.

To save and close the file in vim, you can press ESC and then type :wq and press Enter.

Create a new user

It's not recommended to use the root user for daily tasks. You should create a new user and give it sudo permission. For example:

Create a new user
sudo adduser your-username

Enter the password and other information as prompted.

Then add the user to the sudo group:

Add the user to the sudo group
sudo usermod -aG sudo your-username

Now you can test the new user's root permission:

Test the new user's root permission
su - your-username
whoami
sudo ls

Copy SSH public key

Run on your local machine!

The next command should be run on your local machine instead of the server! No matter your local machine is running Windows, macOS, or Linux, you can still run the command below. All those systems support the SSH command.

By default, the server provider will give you a password to connect to the server. It's recommended to use SSH key instead. You can generate a new SSH key pair on your local machine:

Generate a new SSH key pair

Don't overwrite the existing SSH key pair if you already have one!

The command above will overwrite the existing SSH key pair. You can check if you already have an SSH key pair by running:

ls ~/.ssh
Generate a new SSH key pair (Run on your local machine)
ssh-keygen

Then copy the public key to the server:

Copy SSH public key (Run on your local machine)
ssh-copy-id your-username@your-server-ip

Now you can connect to the server without a password:

Connect to the server without password (Run on your local machine)
ssh your-username@your-server-ip

If the server didn't ask for a password, you have successfully set up the SSH key.

Disable root login

It's not recommended to allow root login via SSH. You should disable it by editing the SSH configuration file:

Disable root login
sudo vim /etc/ssh/sshd_config
  • Change: PermitRootLogin to no to disable the root user login.
  • Change PasswordAuthentication to no to disable password login. (Make sure you can use SSH key login before disabling password login)
  • Change PubkeyAuthentication to yes to allow ssh key login.

Then restart the SSH service:

sudo systemctl restart sshd

Allow your user to run sudo without password (Optional)

Allowing sudo without password is a security risk, but it can be useful in certain situations.

Security Risk

Disabling the password requirement for sudo can be a security risk. This may cause some commands running without sudo to have root permissions and potentially break your system.

However, if you prefer to allow sudo without password, you can follow the steps below.

Open the sudoers file with the visudo command:

Allow sudo without password
sudo mkdir -p /etc/sudoers.d
sudo touch /etc/sudoers.d/$USER
echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/$USER

That's it! You can now run sudo commands without entering your password.

Delete other users

By default, the server provider may create some users for you. You should delete them if you don't need them.

To list all users which can login to the server, you can run:

List all users
cat /etc/passwd | grep -v nologin | grep -v false

Usually the users are:

  • root
  • sync (1)
  • your-username
  1. The sync user is used for synchronizing the system clock. It's safe to keep it.

To delete a user, you can run:

Delete other users
sudo deluser --remove-home other-username

It is also suggested to delete the user's home directory:

Delete user's home directory
sudo ls /home
sudo rm -rf /home/other-username

Network

Renew Machine ID

If you have cloned the server, (For some cloud providers, the server is cloned from a template), you need to renew the machine ID to avoid conflicts. You can renew the machine ID by running:

Renew Machine ID
sudo rm /etc/machine-id
sudo rm /var/lib/dbus/machine-id
sudo systemd-machine-id-setup
sudo cp /etc/machine-id /var/lib/dbus/machine-id

Enable firewall

By default, the server provider may not enable the firewall. You should enable it to protect your server.

You can use ufw to enable the firewall. Before doing that, make sure you allow the SSH port:

Tell ufw to allow your necessary ports
sudo ufw allow ssh
sudo ufw allow 80 # 80 is an example for your other business ports

Then enable the firewall:

Enable ufw
sudo ufw enable

Enable CrowdSec to enhance security

CrowdSec is an open-source security tool that can help you block malicious IP connections. You can use it to block hackers, bots, and other malicious connections.

Install crowdsec
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt-get update
sudo apt-get install crowdsec

CrowdSec uses 8080 port

CrowdSec uses 8080 port by default. Make sure you don't have any service running on 8080 port.

You can change this port by editing the /etc/crowdsec/crowdsec.yaml file.

CrowdSec is a senario-based security tool. You can list all the scenarios by running:

List all CrowdSec scenarios
sudo cscli scenarios list

CrowdSec leverages Bouncer to block bad IPs. handle malicious behavior once it’s detected. To block TCP/UDP connections with blacklisted IPs, install the CrowdSec firewall Bouncer:

Install CrowdSec Bouncer
sudo apt-get install crowdsec-firewall-bouncer-iptables
sudo systemctl start crowdsec-firewall-bouncer
sudo systemctl enable crowdsec-firewall-bouncer

You can verify the current rules and decisions by running:

# Collections are the CVEs that have been detected
sudo cscli collections list
# Senarios are the rules that detect malicious behavior
sudo cscli scenarios list
# Decisions are the IPs that have been blocked
sudo cscli decisions list
# Bouncers are the tools that block the IPs
sudo cscli bouncers list

You should regularly update the CrowdSec database to get the latest security rules:

Update CrowdSec database
sudo cscli hub update
sudo cscli hub upgrade

You can use CrowdSec’s IP blacklist feature to manually add or regularly update blacklisted IP addresses. To manually add an IP to the blacklist:

sudo cscli decisions add -i [IP address]

Now you have enabled CrowdSec to enhance your server security.

Enable BBR for congestion control

BBR is a congestion control algorithm developed by Google. It can improve network performance. You can enable it by running:

Enable BBR
enable_bbr_force()
{
    echo "BBR not enabled. Enabling BBR..."
    echo 'net.core.default_qdisc=fq' | sudo tee -a /etc/sysctl.conf
    echo 'net.ipv4.tcp_congestion_control=bbr' | sudo tee -a /etc/sysctl.conf
    sudo sysctl -p
    echo "BBR enabled. Reboot to take effect."
}
sudo sysctl net.ipv4.tcp_available_congestion_control | grep -q bbr ||  enable_bbr_force

BBR with fq qdisc

BBR must be used with the fq qdisc ("man tc-fq") with pacing enabled, since pacing is integral to the BBR design and implementation. BBR without pacing would not function properly, and may incur unnecessary high packet loss rates. source

To enable fq qdisc, you can run:

Enable fq
enable_fq()
{
    echo "fq not enabled. Enabling fq..."
    echo 'net.core.default_qdisc=fq' | sudo tee /etc/sysctl.conf
    sudo sysctl -p
    judge "Enable fq"
}
sysctl net.core.default_qdisc | grep -q fq ||  enable_fq
print_ok "fq enabled"

Setup best apt mirror

Ubuntu Jammy and AnduinOS only

The following command is for Ubuntu Jammy and AnduinOS. If you are using other versions of Ubuntu, you should search for the best apt mirror for your version.

If you are running other Linux distributions, you should search for the best apt mirror for your distribution. Do NOT use the following command.

By default, the server provider may not set the best apt mirror for you. You can set it by running:

Select best apt source
function switchSource() {
  mirrors=(
    "https://archive.ubuntu.com/ubuntu/"
    "https://mirror.aarnet.edu.au/pub/ubuntu/archive/" # Australia
    "https://mirror.fsmg.org.nz/ubuntu/" # New Zealand
    "https://mirrors.neterra.net/ubuntu/archive/" # Bulgaria
    "https://mirror.csclub.uwaterloo.ca/ubuntu/" # Canada
    "https://mirrors.dotsrc.org/ubuntu/" # Denmark
    "https://mirrors.nic.funet.fi/ubuntu/" # Finland
    "https://mirror.ubuntu.ikoula.com/" # France
    "https://mirror.xtom.com.hk/ubuntu/" # Hong Kong
    "https://mirrors.piconets.webwerks.in/ubuntu-mirror/ubuntu/" # India
    "https://ftp.udx.icscoe.jp/Linux/ubuntu/" # Japan
    "https://ftp.kaist.ac.kr/ubuntu/" # Korea
    "https://ubuntu.mirror.garr.it/ubuntu/" # Italy
    "https://ftp.uni-stuttgart.de/ubuntu/" # Germany
    "https://mirror.i3d.net/pub/ubuntu/" # Netherlands
    "https://mirroronet.pl/pub/mirrors/ubuntu/" # Poland
    "https://ubuntu.mobinhost.com/ubuntu/" # Iran
    "http://sg.archive.ubuntu.com/ubuntu/" # Singapore
    "http://ossmirror.mycloud.services/os/linux/ubuntu/" # Singapore
    "https://mirror.enzu.com/ubuntu/" # United States
    "http://jp.archive.ubuntu.com/ubuntu/" # Japan
    "http://kr.archive.ubuntu.com/ubuntu/" # Korea
    "http://us.archive.ubuntu.com/ubuntu/" # United States
    "http://tw.archive.ubuntu.com/ubuntu/" # Taiwan (Province of China)
    "https://mirror.twds.com.tw/ubuntu/" # Taiwan (Province of China)
    "https://ubuntu.mirrors.uk2.net/ubuntu/" # United Kingdom
    "http://mirrors.ustc.edu.cn/ubuntu/" # 中国科学技术大学
    "http://ftp.sjtu.edu.cn/ubuntu/" # 上海交通大学
    "http://mirrors.tuna.tsinghua.edu.cn/ubuntu/" # 清华大学
    "http://mirrors.aliyun.com/ubuntu/" # Aliyun
    "http://mirrors.163.com/ubuntu/" # NetEase
    "http://mirrors.cloud.tencent.com/ubuntu/" # Tencent Cloud
    "http://mirror.aiursoft.cn/ubuntu/" # Aiursoft
    "http://mirrors.anduinos.com/ubuntu/" # AnduinOS
    "http://mirrors.huaweicloud.com/ubuntu/" # Huawei Cloud
    "http://mirrors.zju.edu.cn/ubuntu/" # 浙江大学
    "http://azure.archive.ubuntu.com/ubuntu/" # Azure
    "https://mirrors.isu.net.sa/apt-mirror/" # Saudi Arabia
    "https://mirror.team-host.ru/ubuntu/" # Russia
    "https://labs.eif.urjc.es/mirror/ubuntu/" # Spain
    "https://mirror.alastyr.com/ubuntu/ubuntu-archive/" # Turkey
    "https://ftp.acc.umu.se/ubuntu/" # Sweden
    "https://mirror.kku.ac.th/ubuntu/" # Thailand
    "https://mirror.bizflycloud.vn/ubuntu/" # Vietnam
  )

  declare -A results

  test_speed() {
      url=$1
      response=$(curl -o /dev/null -s -w "%{http_code} %{time_total}\n" --connect-timeout 1 --max-time 2 "$url")
      http_code=$(echo $response | awk '{print $1}')
      time_total=$(echo $response | awk '{print $2}')

      if [ "$http_code" -eq 200 ]; then
          results["$url"]=$time_total
      else
          echo "Failed to access $url"
          results["$url"]="9999"
      fi
  }

  echo "Testing all mirrors..."
  for mirror in "${mirrors[@]}"; do
      test_speed "$mirror"
  done

  sorted_mirrors=$(for url in "${!results[@]}"; do echo "$url ${results[$url]}"; done | sort -k2 -n)

  echo "Sorted mirrors:"
  echo "$sorted_mirrors"

  fastest_mirror=$(echo "$sorted_mirrors" | head -n 1 | awk '{print $1}')

  echo "Backup sources.list to sources.list.bak"
  sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak

  echo "Fastest mirror: $fastest_mirror"
  echo "
  deb $fastest_mirror jammy main restricted universe multiverse
  deb $fastest_mirror jammy-updates main restricted universe multiverse
  deb $fastest_mirror jammy-backports main restricted universe multiverse
  deb $fastest_mirror jammy-security main restricted universe multiverse
  " | sudo tee /etc/apt/sources.list
}

sudo apt update
sudo apt install curl apt-transport-https -y
switchSource

That command will test all mirrors and set the fastest one for you.

Security

Run security updates

After setting up the server, you should run security updates to make sure the server is secure:

Run system updates
sudo apt update
sudo apt upgrade -y
sudo apt autoremove -y

Enable Automatic Security Updates (Optional)

Every day there are new security vulnerabilities discovered in software. To protect your server from these vulnerabilities, you should always keep your server up-to-date with the latest security patches.

However, it can be time-consuming to manually update your server every day. To save time, you can enable automatic security updates on your server.

Should those commands be run automatically?

Automatic updates can save time and ensure you get security updates as soon as possible. They keep your packages clean and new, reducing the pain of large, infrequent upgrades. Historically, running apt upgrade has been very safe, with few reported issues. Additionally, automatic updates are common in other operating systems like Microsoft Windows.

However, automatic updates are not recommended for most Linux users due to several reasons:

  • Investigation: Auto-updates can mask real problems, making it difficult to reproduce issues and their dependency trees during troubleshooting.
  • AirGap Stability: Some systems require extreme stability and cannot tolerate changes, such as flight control systems.
  • Upgrade Risks: New versions may introduce bugs or breaking changes, causing business interruptions.
  • Rebooting Issues: Updates often require reboots, which can be problematic for systems that have difficulty restarting or need to maintain synchronized caches.

Automatic updates are advisable only if:

  • The system can tolerate availability degradation.
  • The system is stateless and rebooting won't affect its operation.
  • The system has a perfect backup or snapshot configuration.
  • The system is always connected to the Internet.
  • The system needs the latest functional updates.

Consider these factors carefully before enabling automatic updates.

If you want to enable automatic updates, you can use the following script to set up unattended upgrades on your system.

Setup automatic updates
echo "
sudo apt update
sudo DEBIAN_FRONTEND=noninteractive apt upgrade -y
sudo apt --purge autoremove -y" | sudo tee /usr/local/bin/update.sh
sudo chmod +x /usr/local/bin/update.sh
(crontab -l ; echo "0 2 * * 0 /usr/local/bin/update.sh") | crontab -

Performance

Install latest kernel

By default, the server provider may not install the latest kernel for you. For example, by default, Ubuntu 22.04 may provide the 5.15 kernel, but the latest kernel is 6.*.

Kernel version

The kernel version may vary depending on the Ubuntu version. You should check the latest kernel version for your Ubuntu version.

It is always recommended to use a newer kernel for better performance and security, especially if you are using a server with newer hardware.

To verify the current kernel version, you can run:

Check current kernel version
uname -r

You can install the latest kernel by running:

Install latest kernel
sudo apt install -y linux-generic-hwe-22.04
sudo reboot

Command only for Ubuntu 22.04

The command above is only for Ubuntu 22.04. For other versions, you can search for the latest kernel package.

Tune CPU from power-saver to performance

If you are running on a bare-metal server, you can tune the CPU from power-saver to performance to get better performance:

Tune CPU to performance
sudo apt install -y linux-tools-common linux-tools-$(uname -r)
sudo cpupower frequency-info
sudo cpupower frequency-set -g performance

System

Change timezone

By default, the server provider may not set the timezone properly. You should set it correctly. And it's recommended to set it to GMT.

For example, to set the timezone to GMT:

Change timezone
sudo timedatectl set-timezone GMT

To set the timezone to your local timezone, you can run:

Change timezone to China
sudo timedatectl set-timezone Asia/Shanghai

Remove Snap (Optional)

Snap is a package manager that can be used to install applications. However, I understand that a lot of Ubuntu users don't like Snap. You can remove Snap by running:

Remove Snap
echo "Removing snap..."
sudo systemctl disable --now snapd
sudo apt purge -y snapd
sudo rm -rf /snap /var/snap /var/lib/snapd /var/cache/snapd /usr/lib/snapd ~/snap
cat << EOF | sudo tee -a /etc/apt/preferences.d/no-snap.pref
Package: snapd
Pin: release a=*
Pin-Priority: -10
EOF
sudo chown root:root /etc/apt/preferences.d/no-snap.pref
echo "Snap removed"

Benchmark your server (Optional)

After setting up the server, you can benchmark it to see the performance. You can use tools like iperf3 to test the network speed and sysbench to test the CPU performance.

For example, to use iperf3 to test the network speed:

Test network speed
sudo apt update
sudo apt install -y iperf3
sudo ufw allow 5201
iperf3 -s

Then on your local machine, you can run:

Test network speed
iperf3 -c your-server-ip

To use sysbench to test the CPU performance:

Test CPU performance
sudo apt install -y sysbench
sysbench cpu --threads=$(nproc) run
CPU Total number of events
Intel 13900KS 100,0000
Intel 13900H 43,0000
Intel 10900H 40,0000
Vultr 2 vCPU 7,0000
Azure B1s 1,8000
腾讯云轻量应用 1,6000
Average latency (ms) Rating
0-0.2 Awesome
0.2-1 Good
1-2 Normal
2-5 Acceptable
5-10 Bad
10+ Terrible

Install runtime (Optional)

By default, the server provider may not install the runtime for you. You can install the runtime.

Start hosting services

After setting up the server, you can start hosting services on it. You can refer to the Servicing guide for more information.