What do you do with your first five minutes on a new server?

Posted August 26, 2016 60.3k views
Linux BasicsGetting StartedSecurity

What are the things you do every time you log into a new Droplet for the first time? I’m always curious about how other people approach this. If you were to write your own Initial Server Setup guide, what would it include?

  • What do you do you lock down and secure your server?
  • What are the tools and utilities that you can’t live without that aren’t included in the default install?

Have you automated it? Share your user-data script, Ansible playbook, or your own aproach.

  • install tmux
    in iptables restrict ssh port to my office
    update all packages & reboot
    add new user with sudo and a public key
    alter sshd_config to disable root login, and to require public key for all users

    • Drop in ssh keys
    • Disable ssh password login and root login
    • install git
    • checkout my dot files from git
    • install vim
    • install tmux
    • disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces
    • update os/tools to latest/desired versions
    • install sudo and sudo-pam-auth. Configure it to work wi h ssh keys
    • enjoy
  • apt-get install mc ncdu iftop htop iotop gcc make git screen

    • ossec + ssh tweaks + iptables + exim as a relay to send alerts to my mail in a box
  • Show 1 more comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
29 answers

I run playbooks related to the server’s purpose, especially the “common” one. Usually I use Debian.

  • Install my favorite tools (vim, zsh, htop, glances, sudo, rsync, ufw) + their configuration
  • Install common dependencies required most of the time (git, build-essential)
  • Configure the mail server (postfix)
  • Install most of the debug tools I’ve used in my life, just in case (lsof, gdb, iotop, slurm, strace)
  • Harden SSH login
  • Setup fail2ban
  • Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup)
  • Configure time-related stuff (tzdata, ntp, setting the time zone)
  • Setup terminal auto-logout after a few minutes of inactivity
  • Set a random root password (for console login only)

For all other roles, usually they start with ufw configuration, install the matching packages (+ the dbg packages when available, they can prove invaluably useful once every two years) and write the project-independant configuration files.

To share my own, there are a few things I do for every server that I spin up:

  • I block incoming connections on all ports except SSH by default.
  • Upgrade all installed packages
  • Install a few packages like git and htop
  • Disable the root account
  • Enable Byobu

Here it is as an Ansible task on GitHub.

by Stephen Rees-Carter
Byobu is an easy-to-use wrapper around the tmux (or screen) terminal multiplexer. This means that it makes it easy for you to open multiple windows and run multiple commands within a single terminal connection. This tutorial will cover how to install and configure Byobu as well as how to use its most common features.

Let’s share my classic procedure for spin up:

  • apt-get update && apt-get -y upgrade && apt-get -y full-upgrade
  • Enable UFW and allow only SSH default
  • Install zsh instead of bash
  • Install git and copy development ssh keys
  • Configure timezone and install ntp
  • Config SSH to allow only key auth and PermitRootLogin no

As of now I would add Byobu, so good thing.
Maybe Initial Server guide should be updated with PermitRootLogin, timezone and ntp.

Also, I don’t know to use Ansible or any other management systems, but I started researching Ansible :)

create a user

  • set a password
  • give him sudo rights
  • copy public key to authorized_keys

configure sshd

  • disable root login
  • disable password login
  • restart sshd

test login with user and sudo to root

update everything


install etckeeper

  • etckeeper init
  • etckeeper commit -m initial

install vim-enhanced

My Ubuntu 16.04 server setup procedures:

  • Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes).
  • Disable all outbound traffic except for port 80. (Because paranoia)
  • Create a new user and disable the root user
  • Configure SSH to only allow key-based authentication.
  • Upload and sync my SSH keys.
  • Install git, screen, letsencrypt (I normally use DO for webservers), and Nginx.
  • Install node (usually) with these steps:
  • - apt install npm # Installs current repository version of node & npm.
  • - npm i -g n # Install n, a great and simple node version manager.
  • - n latest # Update to the latest version of node.

I do a lot, currently have WordPress, Django and a Nodejs running on the same droplet. However, my First 5 moves in early seconds after creating a droplet are these:

  • Create new user with sudo
  • Enable SSH login for user
  • Disable password login for droplet
  • Install and enable ufw (allow out and incoming port 443, 80 and 22).
  • Install and config fail2ban

After the above steps, I can take a break.

About a year ago, I had a bash script that I would scp to the new server, run as root to do a few different tasks and create my personal user, then su to that user and finish up. It’s a mess of case statements for CentOS 6, CentOS 7, and Ubuntu, so I needed something better. :)

Over the last three or four months, I’ve been learning Ansible and it’s pretty easy to pick up. I have roles that do each of the following:

  1. Set the timezone to UTC.
  2. Install all updates.
  3. Install NTP.
  4. Set up SSH server: disable password authentication and root login.
  5. Install Fail2ban.
  6. Install vnstat.
  7. Install various other extra packages: dig, git, htop, iftop, iotop, mtr, ncdu, nmap, screen, sysstat, tcpdump, tig, tree, unzip, vim, zsh.
  8. Set up a non-root user: SSH keys, git and other configuration files, sudo access.

A firewall role definitely needs added in there. I’m sure there are roles on Ansible Galaxy for most or all of the things I’m doing, but I learned it a lot better by writing my own and studying others’.

I create my user, run my bash script for new VPSes, then add it’s IP to my DNS records.


Then, if it’s a lamp server, I install Let’s Encrypt.

I could tell you but to ensure server security, I can’t

Debian preferred:

  • apt-get update; apt-get -f dist-upgrade
  • install custom grsec kernel from my own repository
  • apply custom firewall, deny everything, allow SSH only from my static IP
  • reboot

That’s it. Less than 5 minutes.

Previous 1 2 3 Next