First 5 Must Do’s After Launching a Linux Server

There is a specific satisfaction in watching a new VirtualBox VM boot up or seeing a cloud instance reach the “Running” state. You have a fresh, untouched Linux environment ready for whatever architecture you want to build.

But before you start installing Apache, setting up Docker containers, or building out your local DNS sinkhole, you need to stop and secure the perimeter.

The public internet is a hostile environment. If you spin up a server with a public IP address and leave the default SSH port open, automated botnets will find it and begin brute-forcing your login credentials within minutes.

To build reliable infrastructure, security cannot be an afterthought. Here are the five non-negotiable steps you must take the moment you log into a fresh Linux server.

1. Update the Linux Server

Whether you downloaded an ISO yesterday or deployed a cloud image five minutes ago, the packages are already out of date. Zero-day vulnerabilities are patched constantly, and your first action should always be syncing your system with the latest security releases.

Run this immediately:

Bash

				
					sudo apt update && sudo apt upgrade -y

Update vs. Upgrade The Difference Between Update and Upgrade apt update does not actually update your software; it simply downloads the latest index of available package versions from the repositories. apt upgrade is the command that actually installs the new software based on that list. Always run them together.

2. Create a Dedicated Sudo User

Operating as the root user is like driving a car with no seatbelt and the airbag disabled. One typo in a command can irreversibly destroy your operating system. You need a standard user account with the ability to temporarily escalate privileges via sudo.

If your installer didn’t create one for you, do it now:

Bash

				
					adduser <your_username> 
usermod -aG sudo <your_username>

Log out of root, log in as your new user, and verify you have administrative access by running sudo -v. Once confirmed, you should never log in directly as root again.

3. Kill Password Authentication (Use SSH Keys)

Passwords are a massive security vulnerability, no matter how complex you make them. To truly lock down your server, you need to completely disable password logins and rely entirely on cryptographic SSH keys.

First, generate an SSH key pair on your local machine (the laptop or desktop you are connecting from):

Bash

				
					ssh-keygen -t ed25519 -C "your_email@example.com"

Next, copy your public key to the new server:

Bash

				
					ssh-copy-id <your_username>@<server_ip>

Test your login. If it lets you in without asking for a password, you are ready to lock the door behind you. Open the SSH configuration file on the server:

Bash

				
					sudo nano /etc/ssh/sshd_config

Find the line PasswordAuthentication yes, change it to no, and restart the service:

Bash

				
					sudo systemctl restart ssh

Disabling Password Authentication The Lockout Threat Do not disable password authentication until you have successfully tested your SSH key login. If you disable passwords before the key is correctly configured, you will permanently lock yourself out of the server via SSH.

4. Move the Target: Change the Default SSH Port

By default, SSH listens on Port 22. Every malicious script and automated scanner on the internet knows this. While disabling password authentication protects you from being hacked, leaving SSH on Port 22 means your server’s auth.log will be filled with thousands of failed login attempts every single day, wasting CPU cycles and bandwidth.

We fix this with security by obscurity. Open the config file again:

Bash

				
					sudo nano /etc/ssh/sshd_config

Find the line #Port 22. Remove the hashtag to uncomment it, and change the number to a high, unused port (e.g., between 1024 and 65535).

Plaintext

				
					Port 49222

Save the file and restart SSH:

				
					sudo systemctl restart ssh

From now on, you will connect using the -p flag:

				
					ssh -p 49222 user@server_ip

5. Deploy the Bouncer (UFW)

Your server should operate on a policy of “default deny.” If you don’t explicitly allow traffic through, it should be dropped at the door. On Debian and Ubuntu, the Uncomplicated Firewall (UFW) is the easiest way to enforce this.

First, ensure it is installed:

Bash

				
					sudo apt install ufw

Set the default rules to deny incoming and allow outgoing traffic:

Bash

				
					sudo ufw default deny incoming
sudo ufw default allow outgoing

Crucial Step: Before turning the firewall on, you must allow your new SSH port, otherwise, you will sever your own connection.

Bash

				
					sudo ufw allow 49222/tcp

If you plan to run a web server right away, also run

Bash

				
					sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Finally, enable the firewall:

Bash

				
					sudo ufw enable

The Foundation is Set

By executing these five steps, you have transformed a vulnerable, stock Linux installation into a hardened, production-ready environment. The botnets will ignore you, your authentication is mathematically secure, and you have absolute control over what traffic enters your system.

Now, you are ready to actually start building.

Tech Service Reviews

HIPAA Compliant Digital Autonomy with Proton

Medical Grade Digital Autonomy is here with Protons HIPAA Compliant platform, accessible to all Small Businesses at affordable prices…

Tutorials & Guides

5 Tech Terms You Have Wrong | Basic 101 Terminology

The IT industry has a serious language problem. We use highly specific terminology to describe complex infrastructure, but by the time those terms reach marketing

First 5 Must Do’s After Launching a Linux Server

1. Update the Linux Server

2. Create a Dedicated Sudo User

3. Kill Password Authentication (Use SSH Keys)

4. Move the Target: Change the Default SSH Port

5. Deploy the Bouncer (UFW)

The Foundation is Set

More Articles:

HIPAA Compliant Digital Autonomy with Proton

5 Tech Terms You Have Wrong | Basic 101 Terminology