If you are a web developer or involved in software development in general, it is a good experience setting up and running your own server. Whether you are a frontend or a backend developer, having this knowledge will prove useful in your career.
With the advent of cheap Virtual Private Servers (VPS) like Digital Ocean and Linode, it is now easier to own your “real estate” in the internet.
This article will show you a step-by-step guide in setting up your own server. I recommend using Ubuntu Long Term Support (LTS) as the operating system. Ubuntu is one of the most popular Linux distributions to date and is used by a significant portion of servers in the cloud. LTS versions are officially supported for years, meaning you will get important security updates and bug fixes for a longer period of time, which is essential when you are exposing a server to the internet. Best of all, it’s free!
Sign up and create your server
After you sign up and create your VPS, you will be provided with an IP address and a root password. Use these information to log in to your server via SSH:
ssh root@IPADDRESS
Create a new user
Once you are logged in to your server, you need to create your own user account and login using that account from now on. It is good practice not to use the default rootuser account because of security risks. The root user account has full access to all areas of the system and a compromised root account allows a malicious attacker to deal maximum damage.
Pick a username that you want (usually deploy). Proceed to create this user using this command:
adduser deploy
This command creates the deploy user that you will use when working in your server. To give it super user access:
gpasswd -a deploy sudo
Super users also has full access to the system similar to root using the sudo command. You will be required to enter your password before you can do sudo commands, so it provides an additional layer of security compared to directly using the root user.
Configure SSH
SSH is used to log in to your server using a terminal. It is important to strengthen your configuration to improve your security against attacks. To change your SSH settings, just edit the configuration file:
sudo nano /etc/ssh/sshd_config
In the file, modify the PermitRootLogin parameter to prevent SSH access using the default root account. You will access your system using your deploy user account.
PermitRootLogin no
Restart SSH to apply your changes:
service ssh restart
Set up a firewall
A firewall protects your system by monitoring and controlling incoming and outgoing traffic. You will set rules to specify which traffic to allow and which ones to disallow or deny. This is a very important part of securing your system against attacks by limiting the number of ports that your system allows access to.
As a general rule you should disable all ports that you are not using. For example, if you do not intend to use FTP to transfer files, deny any traffic in the default FTP port (port 21). Same goes for FTPS (990), Telnet (23), POP3 (110), and POP3s (995).
In Ubuntu, it is very easy to install and set up a firewall. In this example we will use the Uncomplicated Firewall (UFW) program which is essentially a user-friendly wrapper for iptables. For advanced users, configuring iptables itself gives you more control on the firewall rules.
Install UFW using this command:
sudo apt-get update
sudo apt-get install ufw
Let’s start by denying all incoming requests and allowing all outgoing requests:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Then we allow incoming requests that we want:
sudo ufw allow 22/tcp (SSH)
sudo ufw allow 80/tcp (Web server)
sudo ufw allow 443/tcp (HTTPS/SSL)
Allow more ports depending on your use case. UFW also automatically sets the rules for both IPv4 and IPv6, so you do not need to explicitly add more rules for IPv6.
After allowing the ports you need, restart UFW:
sudo service ufw restart
You can view the current firewall rules using the UFW status:
sudo ufw status
Which returns an output similar to below:
Status: active To Action From -- ------ ---- 80/tcp ALLOW Anywhere 22/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere (v6) 22/tcp ALLOW Anywhere (v6) 443/tcp ALLOW Anywhere (v6)
Install Fail2Ban
Another useful tool to protect your system is Fail2Ban. This program blocks malicious scripts and bots that brute-force your SSH login details and try to break into your system. It detects this by looking at the system log files and determining if an IP address is trying to access the system via SSH multiple times, then blocks that IP address in a pre-determined period so that it can no longer use SSH.
In Ubuntu, you can easily install Fail2Ban using this command:
sudo apt-get install fail2ban
And start the program using:
sudo service fail2ban start
The Fail2Ban configuration file is located at:
/etc/fail2ban/jail.conf
However, you should not modify the actual jail.conf file, but instead make a local copy of the configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
This ensures that whenever we update Fail2Ban, the custom settings you specified will not be overwritten by the default configuration. This program reads the jail.conf file first, then the jail.local file, so basically you only need to include the parameters you need to change in the jail.local file.
Since you are using SSH to access your system, and Fail2Ban guards SSH activity, it is possible that you may be locked out of your own system! This happened to me when I forgot my SSH credentials, tried to login using the wrong password and consequently I got locked out of my own server. In order to prevent this from happening, we need to set it so that your own IP address is always allowed.
Open the local configuration file:
sudo nano /etc/fail2ban/jail.local
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 123.456.1.0 123.789.2.1 bantime = 600 maxretry = 3
Put your workstation’s IP address in the ignoreip field, and you can separate multiple entries with a space. The bantime field determines how long (in seconds) an IP address is blocked if it violates any rule. The maxretry field determines the number of SSH login attempts of an IP address before they are blocked by Fail2Ban.
After making changes to the configuration file, restart the service:
sudo service fail2ban restart
Set up Swap
The cheapest VPS options offer around 512MB to 1GB of RAM, and while this is sufficient for small applications, this can sometimes push the limits of your system in terms of memory. Adding swap can prevent your applications from crashing due to lack of available memory.
In simple terms, a swap is a portion of your disk space that the operating system can use as a “backup memory” in case the actual RAM is not sufficient. The drawback is that this “backup memory” is slower that actual RAM because reading and writing occurs in the disk.
Some programs such as nginx require you to set up swap before you can install it especially for smaller VPS with 1GB RAM or less. Some resource-intensive tasks such as the precompile procedure for Ruby on Rails applications can also pose problems to your system and adding swap will solve these issues.
In this article we will use the fallocate program to very quickly and simply set up swap.
sudo fallocate -l 2G /swapfile
In this example we allocate 2GB of disk space to be the swap. The size depends on your actual memory usage which is dependent on the nature of the applications you are running. As a general rule of thumb though, for 512MB to 1GB of RAM you can set your swap to be equal or twice that (1GB to 2GB). For larger systems with more RAM, you need less than 1x of your RAM, e.g. 64GB RAM only needs about 4GB of swap.
After creating the swapfile, we adjust the permissions so that only root has access:
sudo chmod 600 /swapfile
Then we tell the operating system to use this swapfile as the swap:
sudo mkswap /swapfile
sudo swapon /swapfile
The swapon command enables the swap, but this does not persist after reboot, meaning you need to use this command again after your system restarts. To make the swap permanent, we make a change to the fstab configuration file:
sudo nano /etc/fstab
Then add this line to the bottom of that file:
/swapfile none swap sw 0 0
Optionally you can also modify your swap settings based on your usage. One of the more important setting is the swappiness, which determines how often the operating system uses the swap instead of the actual RAM. The default is 60, meaning that the swap if moderately favored over RAM. The swappiness value will depend on the actual usage and how your applications use memory. If your applications do not need to access entries in RAM often, it is a good idea to set the swappiness to a higher value and free up RAM to be used by other programs. However, if your applications read from memory quite often, setting the swappiness to a lower value can improve the performance since it will use RAM more often.
In this setup we will use a lower swappiness value (10), and we can set it by modifying the “sysctl” file:
sudo nano /etc/sysctl.conf
And adding this entry in the bottom of the file:
vm.swappiness=10
Final Steps
That’s it! You have now successfully set up your own server and it is now ready for use. We have also implemented basic security procedures to make our server more robust.
The next step is to deploy our application in the server. Some common uses are:
One thought on “Set up your own server”