When you first spin up a new Ubuntu server, getting right to work is tempting. However, before you jump into deploying web applications, hosting a NodeBB forum, or installing Nginx, it is crucial to establish a secure foundation.

Relying on the default root account for day-to-day operations is a security risk. This guide will walk you through the essential first steps for any newly provisioned Ubuntu server: creating a dedicated user, granting the right privileges, and configuring a basic firewall.

Step 1: Log In as Root

To begin, you will need your server's public IP address and the password (or SSH private key if you installed an SSH key for authentication) for the root account. Open your terminal and connect to your server as the root user using the following command, replacing your_server_ip with your actual IP address:

ssh root@your_server_ip

If a warning about host authenticity appears, accept it. If your server uses password authentication, provide your root password to log in. If your server uses an SSH key for authentication, you may need to enter SSH key passphrase the first time you use the key each session.

Note: The root user has absolute power over the system. Because of the heightened privileges of the root account, you are discouraged from using it regularly. The root account can make very destructive changes, even by accident.

Step 2: Create a New User

Now that you are logged in as root, let's create a standard user account. We will use this account moving forward. You can name this user whatever you like; for this example, we'll use adminuser.

adduser adminuser

The system will prompt you to create and confirm a strong password. You will also see prompts for additional information (like Full Name or Room Number). These are entirely optional—feel free to just press ENTER to skip them.

Step 3: Grant Administrative Privileges

Our new user needs the ability to perform administrative tasks when necessary, like updating packages or managing server blocks later on. Instead of logging back in as root, we can grant this user superuser capabilities.

On Ubuntu, users in the sudo group are automatically allowed to run administrative commands. Add your new user to this group:

usermod -aG sudo adminuser

From now on, whenever you need to execute a command with elevated privileges, you can simply type sudo before it.

Step 4: Set Up a Basic Firewall

Ubuntu ships with a firewall configuration tool called UFW (Uncomplicated Firewall). Setting it up ensures that only authorized traffic can reach your server.

When software is installed, it often registers its profile with UFW. Because we need to maintain our connection to the server, we must ensure SSH traffic is allowed before turning the firewall on.

First, check the available application profiles:

ufw app list

You should see OpenSSH in the output, it will probably look like this:

Available applications:
  OpenSSH

Allow connections for OpenSSH by running:

ufw allow OpenSSH

Now, it is safe to enable the firewall:

ufw enable

Type y and press ENTER to confirm. You can verify that your firewall is active and that SSH connections are allowed by checking its status:

ufw status

And in the output, it will probably look like this:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

The firewall is currently blocking all connections except for SSH. As you continue building your server environment—such as opening ports 80 and 443 for web traffic later—you will adjust these UFW rules to allow the new services:

ufw allow 80/tcp
ufw allow 443/tcp

Step 5: Verify External Access for Your Regular User

Before closing your active root session, it is critical to verify that you can successfully log in and use sudo with your new user. If you have problems connecting, you can troubleshoot and make any necessary changes as root.

Configuring SSH access for your new user depends on whether your server’s root account uses a password or SSH keys for authentication.

If the root account uses password authentication

Open a new terminal window on your local machine and try connecting as your new user:

ssh adminuser@your_server_ip

When the terminal prompts for password of your new user, enter it then you will be logged in.

Remember, if you need to run a command with administrative privileges, type sudo before it like this:

sudo command_to_run

You will receive a prompt for your user's password when using sudo for the first time each session (and periodically afterward).

If the root account uses SSH key authentication

If you logged in to your root account using SSH keys, then password authentication is disabled for SSH. To log in as your regular user with an SSH key, you must add a copy of your local public key to your new user’s ~/.ssh/authorized_keys file.

Since your public key is already in the root account’s ~/.ssh/authorized_keys file on the server, you can copy that file and directory structure to your new user account using your current session.

The simplest way to copy the files with the correct ownership and permissions is with the rsync command. This command will copy the root user’s .ssh directory, preserve the permissions, and modify the file owners, all in a single command. Make sure to change adminuser of the command below to match your regular user’s name:

rsync --archive --chown=adminuser:adminuser ~/.ssh /home/adminuser

Now, open up a new terminal session on your local machine, and use SSH with your new username:

ssh adminuser@your_server_ip

You should be connected to your server with the new user account without using a password. Remember, if you need to run a command with administrative privileges, type sudo before the command like this:

sudo command_to_run

You will be prompted for your regular user’s password when using sudo for the first time each session (and periodically afterward).