Ubuntu Server Initial Setup

Trademark Notice

Ubuntu® is a registered trademark of Canonical Ltd. All trademarks and logos are used for representation purposes only. This content is for educational purposes only.

Complete guide for initial Ubuntu Server configuration after installation.

System Update

# Update package lists
sudo apt update

# Upgrade all packages
sudo apt upgrade -y

# Full system upgrade (includes kernel updates)
sudo apt full-upgrade -y

# Remove unnecessary packages
sudo apt autoremove -y
sudo apt autoclean

Configure Hostname

# Check current hostname
hostnamectl

# Set new hostname
sudo hostmaschinectl set-hostname server01.example.com

# Edit /etc/hosts
sudo nano /etc/hosts

Add entries:

127.0.0.1       localhost
127.0.1.1       server01.example.com server01
192.168.1.100   server01.example.com server01

Network Configuration (Netplan)

Ubuntu uses Netplan for network configuration.

Static IP Configuration

# Edit netplan configuration
sudo nano /etc/netplan/00-installer-config.yaml

network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      dhcp4: no
      addresses:
        - 192.168.1.100/24
      routes:
        - to: default
          via: 192.168.1.1
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4
        search:
          - example.com

Apply configuration:

# Test configuration
sudo netplan try

# Apply permanently
sudo netplan apply

# Check status
ip addr show
ip route show

DHCP Configuration

network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      dhcp4: true
      dhcp6: false

User Management

Create New User

# Create user with home directory
sudo adduser john

# Add user to sudo group
sudo usermod -aG sudo john

# Add to other groups
sudo usermod -aG docker,www-data john

# Verify groups
groups john

SSH Key Authentication

# On client machine, generate SSH key
ssh-keygen -t ed25519 -C "your_email@example.com"

# Copy public key to server
ssh-copy-id john@192.168.1.100

# Or manually
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
# Paste public key here
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Disable Root Login

# Edit SSH config
sudo nano /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

# Restart SSH service
sudo systemctl restart sshd

Timezone Configuration

# Check current timezone
timedatectl

# List available timezones
timedatectl list-timezones

# Set timezone
sudo timedatectl set-timezone America/New_York

# Or use interactive tool
sudo dpkg-reconfigure tzdata

NTP Time Synchronization

# Check NTP status
timedatectl show-timesync --all

# Enable NTP
sudo timedatectl set-ntp true

# Configure systemd-timesyncd
sudo nano /etc/systemd/timesyncd.conf

[Time]
NTP=time.google.com time.cloudflare.com
FallbackNTP=ntp.ubuntu.com

# Restart time sync
sudo systemctl restart systemd-timesyncd
sudo systemctl status systemd-timesyncd

Firewall Configuration (UFW)

# Enable UFW
sudo ufw enable

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH
sudo ufw allow ssh
sudo ufw allow 22/tcp

# Allow HTTP/HTTPS
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Allow specific IP
sudo ufw allow from 192.168.1.0/24

# Allow port range
sudo ufw allow 6000:6007/tcp

# Check status
sudo ufw status verbose
sudo ufw status numbered

# Delete rule
sudo ufw delete 2

System Locale

# Check current locale
locale

# List available locales
locale -a

# Generate new locale
sudo locale-gen en_US.UTF-8

# Set system locale
sudo update-locale LANG=en_US.UTF-8

# Reconfigure locales
sudo dpkg-reconfigure locales

Swap Configuration

# Check swap status
sudo swapon --show
free -h

# Create swap file (4GB)
sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# Make permanent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

# Adjust swappiness (0-100, lower = less swap usage)
sudo sysctl vm.swappiness=10
echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf

System Limits

# Edit limits
sudo nano /etc/security/limits.conf

* soft nofile 65536
* hard nofile 65536
* soft nproc 32768
* hard nproc 32768

Kernel Parameters

# Edit sysctl
sudo nano /etc/sysctl.conf

# Network performance
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864

# Security
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# File system
fs.file-max = 2097152

# Apply changes
sudo sysctl -p

Automatic Security Updates

# Install unattended-upgrades
sudo apt install -y unattended-upgrades

# Configure
sudo dpkg-reconfigure -plow unattended-upgrades

# Edit configuration
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
};

Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";

System Monitoring Tools

# Install essential monitoring tools
sudo apt install -y htop iotop iftop nethogs

# System resource monitoring
htop                    # Interactive process viewer
iotop                   # I/O monitoring
iftop -i ens33         # Network bandwidth
nethogs ens33          # Per-process bandwidth

# Check disk usage
df -h
du -sh /*

# Check memory usage
free -h

# Check system load
uptime
w

# Check running services
systemctl list-units --type=service --state=running

Log Management

# View system logs
sudo journalctl -xe                    # Recent errors
sudo journalctl -f                     # Follow logs
sudo journalctl -u nginx              # Service-specific logs
sudo journalctl --since "1 hour ago"  # Time-based

# Configure log rotation
sudo nano /etc/logrotate.d/custom

/var/log/myapp/*.log {
    daily
    rotate 14
    compress
    delaycompress
    notifempty
    create 0640 www-data www-data
    sharedscripts
    postrotate
        systemctl reload myapp
    endscript
}

Systemd Service Management

# Check service status
sudo systemctl status nginx

# Start/stop/restart service
sudo systemctl start nginx
sudo systemctl stop nginx
sudo systemctl restart nginx
sudo systemctl reload nginx

# Enable/disable service at boot
sudo systemctl enable nginx
sudo systemctl disable nginx

# View service logs
sudo journalctl -u nginx -f

# List all services
systemctl list-units --type=service

Package Management

# Search for packages
apt search nginx

# Show package information
apt show nginx

# Install package
sudo apt install nginx

# Remove package
sudo apt remove nginx

# Remove package with config
sudo apt purge nginx

# List installed packages
dpkg -l

# Check which package provides a file
dpkg -S /usr/bin/nginx

System Backup Strategy

# Backup important directories
sudo tar -czf backup-$(date +%Y%m%d).tar.gz \
  /etc \
  /home \
  /var/www \
  /root

# Backup with rsync
sudo rsync -avz --delete \
  /var/www/ \
  /backup/www/

# Backup system packages list
dpkg --get-selections > packages.list

# Restore packages
sudo dpkg --set-selections < packages.list
sudo apt-get dselect-upgrade

Performance Tuning

# Check system performance
vmstat 1
iostat -x 1
sar -u 1 10

# Install sysstat for detailed stats
sudo apt install -y sysstat
sudo systemctl enable sysstat
sudo systemctl start sysstat

Security Hardening

# Disable unused services
sudo systemctl disable bluetooth
sudo systemctl disable cups

# Secure shared memory
echo 'none /run/shm tmpfs defaults,ro 0 0' | sudo tee -a /etc/fstab

# Harden SSH
sudo nano /etc/ssh/sshd_config

Protocol 2
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 2
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
PrintMotd no
ClientAliveInterval 300
ClientAliveCountMax 2

Verification Checklist

• System fully updated
• Hostname configured
• Static IP or DHCP configured
• Non-root user created with sudo access
• SSH key authentication enabled
• Root login disabled
• Firewall (UFW) enabled and configured
• Timezone set correctly
• NTP synchronization enabled
• Automatic security updates configured
• System monitoring tools installed
• Backup strategy implemented

Next Steps

• Install web servers (Apache, Nginx)
• Configure database servers (MySQL, PostgreSQL)
• Set up application environments (Node.js, Python, Java)
• Implement monitoring solutions (Prometheus, Grafana)
• Configure reverse proxy and load balancing

Resources

• Official Documentation: https://help.ubuntu.com/
• Ubuntu Server Guide: https://ubuntu.com/server/docs
• Community Help: https://askubuntu.com/
• Security Notices: https://ubuntu.com/security/notices