Adityacprtm
Aditya Pratama
Site Reliability Engineer
operator/01
system status
status available
tzGMT+7
response<24h
Return to Blog

Linux Server Security: Initial Setup Steps for Ubuntu 24.04

Essential first steps to secure a new Linux server on Ubuntu 24.04 — create a sudo user, harden SSH with Ed25519 keys, configure UFW firewall, and install Fail2ban.

Adityacprtm

Every new cloud server starts with the same risk: default root access, password-based SSH, and an open attack surface. The first 10 minutes after provisioning are critical — bots scan for new servers within minutes of going online.

This guide covers the four essential hardening steps for an Ubuntu 24.04 LTS server: user setup, Ed25519 SSH key authentication, UFW firewall, and Fail2ban intrusion prevention.

1. Create a Sudo User

Log in as root, then create a non-root user with sudo privileges:

bash
adduser aditya
usermod -aG sudo aditya

Why a sudo user? Root login is predictable and dangerous — every bot on the internet tries root:password. A named sudo user adds a layer of obscurity and accountability (every command is logged to /var/log/auth.log with the real username).

2. Set Up Ed25519 SSH Key Authentication

Password-based SSH is the most common attack vector. Replace it with Ed25519 key pairs — the current gold standard for SSH keys, offering better security and performance than RSA 2048/4096.

On your local machine, generate a key pair:

bash
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519_myserver

The -a 100 flag increases KDF rounds for the private key passphrase, making brute-force decryption harder if your local machine is compromised.

On the server (as the sudo user):

bash
mkdir -p ~/.ssh && chmod 700 ~/.ssh
vim ~/.ssh/authorized_keys   # paste the public key content
chmod 600 ~/.ssh/authorized_keys

Test the key-based login from your local machine before disabling passwords:

bash
ssh -i ~/.ssh/id_ed25519_myserver aditya@<SERVER_IP>

3. Harden the SSH Daemon

Edit /etc/ssh/sshd_config and apply these settings:

code
# Disable root SSH login
PermitRootLogin no

# Disable password authentication (key-only)
PasswordAuthentication no

# Explicitly allow only your user
AllowUsers aditya

# Optional: restrict to a specific group
AllowGroups sudo

# Use modern key exchange algorithms
KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256

Restart SSH:

bash
sudo systemctl restart ssh

Keep your first terminal session open until you confirm the new connection works. If something breaks, you still have root access to fix it.

4. Configure UFW Firewall

Ubuntu 24.04 ships with ufw (Uncomplicated Firewall). It replaces the older raw iptables approach with a simpler syntax:

bash
# Default deny incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (change port if you moved SSH)
sudo ufw allow ssh

# Allow HTTP/HTTPS if running a web server
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable the firewall
sudo ufw enable

Check the status:

bash
sudo ufw status verbose

If you’re on AWS or another cloud provider, also configure the security group / firewall rules at the cloud level as a defense-in-depth layer — never rely solely on the OS firewall.

5. Install and Configure Fail2ban

Fail2ban monitors /var/log/auth.log for repeated failed login attempts and temporarily bans the source IP via iptables/nftables.

bash
sudo apt update
sudo apt install -y fail2ban

Create a local jail configuration:

bash
sudo tee /etc/fail2ban/jail.local > /dev/null << 'EOF'
[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 3600
findtime = 600
EOF

This bans an IP after 3 failed SSH attempts within 10 minutes, for 1 hour. Restart to apply:

bash
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

What These Steps Protect Against

ThreatMitigation
Brute-force SSH loginEd25519 keys + Fail2ban + password auth disabled
Root compromise via SSHPermitRootLogin no
Port scanning / unauthorized accessUFW firewall (cloud + OS level)
Credential stuffingNamed sudo user + auth logging

Next Steps

With your server secured, you can now safely set up services. See the guide on setting up a self-hosted OpenVPN server for secure remote access, or check out the portfolio for a full-stack serverless project deployment example.


First published August 2022. Updated July 2026 for Ubuntu 24.04 LTS, UFW, and Ed25519 best practices.

Comments
← PreviousHow to Set Up a Self-Hosted OpenVPN Server on Ubuntu 24.04Next →How to Build a Serverless Website with reCAPTCHA on AWS
© 2026 Aditya Chamim PratamaContactAll systems operational