First 10 Minutes

Sunday Sep 5, 2021 by Dave Glassanos

There are a number of posts on the internet about what to do in the first 10 minutes of spinning up a new server. It seems like every time I would bring up a new instance for a new project I would use a different variation from one of those posts, so I decided to write my own that I can reference whenever I need to.

Here’s what I do in the first 10 minutes of spinning up a new server. This assumes you’re running Ubuntu.

  1. Make sure you’re on the most up to date packages.

    apt-get update && apt-get upgrade -y
  2. Add a new user. You don’t want to run your application as root.

    useradd deploy
    mkdir /home/deploy
    mkdir /home/deploy/.ssh
    chmod 700 /home/deploy/.ssh
    usermod -s /bin/bash deploy  
  3. Add an SSH key for your new user. We will be disabling the ability to login using passwords in a bit so you’ll need to use SSH keys instead.

    vim /home/deploy/.ssh/authorized_keys

    Add the contents of your public SSH key to this file and save it.

    chmod 400 /home/deploy/.ssh/authorized_keys
    chown deploy:deploy /home/deploy -R

    Before we can disable password logins, we should confirm that we are able to SSH in to the server using the SSH key we just added. Open up a new terminal window. You want to keep your current session open so that we are still able to access the server if SSH isn’t working.

  4. Set a new password for the deploy user. This will be the password you’ll enter when running sudo as the new deploy user. Make sure to save this in your password manager.

    passwd deploy
  5. Add the deploy user to the list of sudoers


    Add your deploy user under the root user

    root    ALL=(ALL) ALL
    deploy  ALL=(ALL) ALL
  6. Lock down SSH. We don’t want to allow anyone to log in as the root user, and we want to force all users to log in via SSH keys instead of passwords

    vim /etc/ssh/sshd_config

    Then make sure these lines are configured to look like this

    PermitRootLogin no
    PasswordAuthentication no

    Finally, restart SSH so the changes take effect.

    service ssh restart
  7. Set up the firewall

    ufw allow 22
    ufw allow 80
    ufw allow 443
    ufw disable
    ufw enable
    ufw status verbose
  8. Install automatic security updates

    apt-get install unattended-upgrades

    Then update the configuration.

    vim /etc/apt/apt.conf.d/10periodic

    Update the file to look like this:

    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::AutocleanInterval "7";
    APT::Periodic::Unattended-Upgrade "1";

    One more config file to edit:

    vim /etc/apt/apt.conf.d/50unattended-upgrades

    Make sure it looks like this:

    Unattended-Upgrade::Allowed-Origins {
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        // "${distro_id}:${distro_codename}-updates";
        // "${distro_id}:${distro_codename}-proposed";
        // "${distro_id}:${distro_codename}-backports";
  9. We’re done with the security side of things, now let’s install tools we’ll want to use. First, we’ll install docker and docker-compose

    curl -sSL | sh
    usermod -aG docker deploy

    Then docker-compose

    curl -L$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
    chmod +x /usr/local/bin/docker-compose

    You can find the latest version on their release notes page.