By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
Alibaba Cloud Elastic Compute Service (ECS) provides a faster and more powerful way to run your cloud applications as compared with traditional physical servers. You can achieve great results on your cloud needs. With ECS, you can achieve more with the latest generation of CPUs as well as protect your instance from DDoS and Trojan attacks.
In this guide, we will talk about the best practices for provisioning your Ubuntu 16.04 server hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance.
$ sudo apt-get update
$ sudo apt-get upgrade -y
To check your hostname, type the command below on a terminal window:
$ hostname
To change your hostname, first edit the /etc/cloud/cloud.cfg file and find the entry preserve_hostname and change its value from false to true.
$ sudo nano /etc/cloud/cloud.cfg
preserve_hostname true
Press CTRL + X, Y then Enter to save the changes.
Then, edit the /etc/hostname file using a nano editor by typing the command below:
$ sudo nano /etc/hostname
Overwrite the current hostname written at the very top of the file and press CTRL + X, Y then Enter to save the changes.
You will also need to add some entries on the Linux hosts file. Open the file using a text editor:
$ sudo nano /etc/hosts
You will need to add two entries on this file just below the 127.0.0.1 localhost entry. The first entry you are adding uses the loopback interface address 127.0.1.1, please note this is different from the address 127.0.0.1 which have a ‘localhost’ value in the same file.
So assuming your servers public IP address is 111.111.111.111 and your hostname is Miami, your /etc/hosts file should have the below entries at the very top:
127.0.0.1 localhost
127.0.1.1 miami
111.111.111.111 miami
$ sudo reboot
$ timedatectl
You must set the correct time zone especially if you are running cron jobs on your server because they rely heavily on date/time. To change the time zone, use the command below:
$ sudo timedatectl set-timezone
For instance to set your server time zone to London use the command below
$ sudo timedatectl set-timezone Europe/London
You can run the date command to check if the changes were effected successfully:
$ date
$ sudo adduser
For instance, to add a user identified as james on your server, use the command below:
$ sudo adduser james
Then, add the user to the sudo group by typing the command below:
$ sudo usermod -aG sudo james
$ mkdir ~/.ssh
Then, use a nano editor to paste your public key on the authorized_keys file by typing:
$ nano ~/.ssh/authorized_keys
Protect the file by typing the commands below
$ chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
Once the keys are created, you can now login on your Ubuntu 16.04 server using your username and the private key that you have created via a SSH connection.
$ sudo nano /etc/ssh/sshd_config
Find the line PasswordAuthentication and change its value from yes to no.
PasswordAuthentication no
Restart the SSH daemon:
$ sudo service ssh restart
$ sudo nano /etc/ssh/sshd_config
Then,
PermitRootLogin no
Restart the SSH daemon by typing the command below for the changes to take effect:
$ sudo service ssh restart
$ sudo apt-get install ufw
Then, type the command below to allow all outgoing calls and deny or incoming calls.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
You can use the UFW command below to allow traffic to a particular port or service:
$ sudo ufw allow
To avoid completely locking yourself from your Ubuntu server, the first port/service that you should allow on UFW is port 22 which listens for SSH connections.
To do this, type the command below to add the rule:
$ sudo ufw allow 22
Or
$ sudo ufw allow ssh
Also if you are running a web server, you should enable the http and https port:
$ sudo ufw allow http
$ sudo ufw allow https
Once you have whitelisted the services, run the command below to start UFW
$ sudo ufw enable
You can delete any rule that you have created by first checking its number and then deleting it via the commands below:
$ sudo ufw status numbered
Then
$ sudo ufw delete
Where is the value that you obtained above from the list of rules available.
Make sure ufw is enabled before checking the list of rules.
You can disable UFW at any time by typing the command below:
$ sudo ufw disable
Or just reset all rules by typing:
$ sudo ufw reset
$ sudo apt-get install fail2ban
You can use your server with the default settings for Fail2Ban but when the need arises, you can edit the configuration file to make changes. All Fail2Ban configuration files are located at /etc/fail2ban/ directory
By default .conf files are read first followed by .local files. So if you want to override settings, you should make changes to .local files and leave .conf files intact.
For instance, you can create your own copy of jail.conf file and create a local file for editing using the commands below:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
You can then change any Fail2Ban settings by editing the new file with the command below:
$ sudo nano /etc/fail2ban/jail.local
In most cases, you will be setting the ban time, find time and max retries for SSH connections. This will all depend on the level of security that you need on your Alibaba Ubuntu 16.04 server.
How to Set Up Your First Ubuntu 14.04 Server on Alibaba Cloud
2,599 posts | 765 followers
FollowAlibaba Clouder - February 13, 2018
Alibaba Clouder - February 13, 2019
francisndungu - May 29, 2019
Alibaba Clouder - October 18, 2018
Alibaba Clouder - February 18, 2019
Alibaba Clouder - April 26, 2019
2,599 posts | 765 followers
FollowElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreAn encrypted and secure cloud storage service which stores, processes and accesses massive amounts of data from anywhere in the world
Learn MoreLearn More
More Posts by Alibaba Clouder
5117545781428124 April 3, 2022 at 11:13 am
I followed the steps but when I'm about to edit the hostname, it requires me a "password for shell" which I do not know. Please help