Linux Server Security: Initial Setup Steps for Ubuntu 24.04
Essential first steps to secure a new Linux server on Ubuntu 24.04 — create a sudo user, harden SSH with Ed25519 keys, configure UFW firewall, and install Fail2ban.

Every new cloud server starts with the same risk: default root access, password-based SSH, and an open attack surface. The first 10 minutes after provisioning are critical — bots scan for new servers within minutes of going online.
This guide covers the four essential hardening steps for an Ubuntu 24.04 LTS server: user setup, Ed25519 SSH key authentication, UFW firewall, and Fail2ban intrusion prevention.
1. Create a Sudo User
Log in as root, then create a non-root user with sudo privileges:
bashadduser aditya
usermod -aG sudo aditya
Why a sudo user? Root login is predictable and dangerous — every bot on the internet tries root:password. A named sudo user adds a layer of obscurity and accountability (every command is logged to /var/log/auth.log with the real username).
2. Set Up Ed25519 SSH Key Authentication
Password-based SSH is the most common attack vector. Replace it with Ed25519 key pairs — the current gold standard for SSH keys, offering better security and performance than RSA 2048/4096.
On your local machine, generate a key pair:
bashssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519_myserver
The -a 100 flag increases KDF rounds for the private key passphrase, making brute-force decryption harder if your local machine is compromised.
On the server (as the sudo user):
bashmkdir -p ~/.ssh && chmod 700 ~/.ssh
vim ~/.ssh/authorized_keys # paste the public key content
chmod 600 ~/.ssh/authorized_keys
Test the key-based login from your local machine before disabling passwords:
bashssh -i ~/.ssh/id_ed25519_myserver aditya@<SERVER_IP>
3. Harden the SSH Daemon
Edit /etc/ssh/sshd_config and apply these settings:
code# Disable root SSH login
PermitRootLogin no
# Disable password authentication (key-only)
PasswordAuthentication no
# Explicitly allow only your user
AllowUsers aditya
# Optional: restrict to a specific group
AllowGroups sudo
# Use modern key exchange algorithms
KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256
Restart SSH:
bashsudo systemctl restart ssh
Keep your first terminal session open until you confirm the new connection works. If something breaks, you still have root access to fix it.
4. Configure UFW Firewall
Ubuntu 24.04 ships with ufw (Uncomplicated Firewall). It replaces the older raw iptables approach with a simpler syntax:
bash# Default deny incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (change port if you moved SSH)
sudo ufw allow ssh
# Allow HTTP/HTTPS if running a web server
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable the firewall
sudo ufw enable
Check the status:
bashsudo ufw status verbose
If you’re on AWS or another cloud provider, also configure the security group / firewall rules at the cloud level as a defense-in-depth layer — never rely solely on the OS firewall.
5. Install and Configure Fail2ban
Fail2ban monitors /var/log/auth.log for repeated failed login attempts and temporarily bans the source IP via iptables/nftables.
bashsudo apt update
sudo apt install -y fail2ban
Create a local jail configuration:
bashsudo tee /etc/fail2ban/jail.local > /dev/null << 'EOF'
[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 3600
findtime = 600
EOF
This bans an IP after 3 failed SSH attempts within 10 minutes, for 1 hour. Restart to apply:
bashsudo systemctl restart fail2ban
sudo fail2ban-client status sshd
What These Steps Protect Against
| Threat | Mitigation |
|---|---|
| Brute-force SSH login | Ed25519 keys + Fail2ban + password auth disabled |
| Root compromise via SSH | PermitRootLogin no |
| Port scanning / unauthorized access | UFW firewall (cloud + OS level) |
| Credential stuffing | Named sudo user + auth logging |
Next Steps
With your server secured, you can now safely set up services. See the guide on setting up a self-hosted OpenVPN server for secure remote access, or check out the portfolio for a full-stack serverless project deployment example.
First published August 2022. Updated July 2026 for Ubuntu 24.04 LTS, UFW, and Ed25519 best practices.



