Introduction
When you first create a new Debian 10 server, there are a few configuration steps you should perform early on as part of the initial setup. This will increase the security and usability of your server and give you a solid foundation for what comes next.
In this tutorial, we will learn how to log in to our server as the root user, create a new user with administrative privileges, and set up a basic firewall.
Step 1 – Log in as Root
To log in to your server, you will need to know the public IP address of your server. You will also need the password or, if you have installed an SSH key for authentication, the private key for the root user account. If you have not logged in to your server before, you may want to follow our guide on how to connect to your Droplet with SSH, which covers this process in detail.
If you are not already connected to your server, go ahead and log in as the root user using the following command (replace the highlighted part of the command with your server's public IP address):
ssh root@your_server_ipAccept the host credentials warning if it appears. If you are using password authentication, enter your root password to log in. If you are using an SSH key that is protected by a passphrase, you may be prompted to enter the passphrase the first time you use the key in any session. If this is the first time you are logging in to the server with a password, you may be prompted to change the root password.
About root
The root user is an administrative user in a Linux environment that has very broad privileges. You are discouraged from using the root account regularly because of its elevated privileges. This is because part of the inherent power of the root account is the ability to make very destructive changes, even accidentally.
The next step is to set up an alternate account with less influence for everyday tasks. Later, we'll explain how to get more privileges for when you need them.
Step 2 – Create a new user
Once you are logged in as root, we are ready to add a new user account that we will use to log in from now on.
This example creates a new user named sammy, but you should replace it with the username you like:
adduser sammyYou will be asked a few questions, starting with the account password.
Enter a strong password and, if desired, fill in any additional information you want. This is not required and you can just hit ENTER in any field you want to skip.
Next, we'll set up this new user with administrator privileges.
Step 3 – Granting Administrative Privileges
We have now created a new user account with regular account privileges. However, we may sometimes need to perform administrative tasks with it.
To avoid having to log out of our regular user and log back in as the main account, we can set up superuser or root privileges for our regular account. This allows the regular user to run commands with administrative privileges by prefixing the command with the word sudo.
To add these privileges to our new user, we need to add the new user to the sudo group. By default, in Debian 10, users who belong to the sudo group are allowed to use the sudo command.
As root, run this command to add your new user to the sudo group (replace the highlighted word with your new user):
usermod -aG sudo sammyNow, when you are logged in as your regular user, you can type sudo before the commands to run the command with superuser privileges.
Step 4 – Set up a basic firewall
Debian servers can use firewalls to ensure that only certain connections to certain services are allowed. In this guide, we will install and use the UFW firewall to help set up firewall policies and manage exceptions.
We can use the apt package manager to install UFW. Refresh the local directory to retrieve the latest information about the available packages and then install the UFW firewall software by typing:
apt update
apt install ufwFirewall profiles allow UFW to manage named sets of firewall rules for installed applications. Profiles for some common software come with UFW by default, and packages can register additional profiles with UFW during the installation process. OpenSSH, the service that allows us to connect to our server now, has a firewall profile that we can use.
You list all available application profiles by typing:
ufw app list
Output
Available applications:
. . .
OpenSSH
. . .We need to make sure that the firewall allows SSH connections so that we can log in again next time. We can allow these connections by typing:
ufw allow OpenSSHAfter that, we can enable the firewall by typing:
ufw enableType y and press ENTER to continue. You can see that SSH connections are still allowed by typing:
ufw statusOutput
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)Since the firewall currently blocks all connections except SSH, if you install and configure additional services, you will need to adjust the firewall settings to allow acceptable traffic in. You can learn some common UFW operations in our essential UFW guide.
Step 5 – Enable external access for your regular user
Now that we have a regular user for daily use, we need to make sure we can SSH directly into the account.
The process for configuring SSH access for your new user depends on whether your server's root account uses a password or SSH keys for authentication.
If the root account uses password authentication
If you logged in to your main account using a password, password authentication is enabled for SSH. You can SSH into your new account by opening a new terminal session and using SSH with your new username:
ssh sammy@your_server_ipAfter entering your regular user password, you will be logged in. Remember, if you need to run a command with administrative privileges, type sudo before it, as follows:
sudo command_to_runWhen using sudo for the first time in any session (and periodically thereafter), you will be prompted to enter your regular user password.
To increase the security of your server, we highly recommend setting up SSH keys instead of using password authentication. Follow our guide on setting up SSH keys on Debian 10 to learn how to configure key-based authentication.
If the root account uses SSH key authentication
If you are logged in to your main account using SSH keys, password authentication is disabled for SSH. You will need to add a copy of your local public key to the new user's ~/.ssh/authorized_keys file to successfully log in.
Since your public key is already in the root account's ~/.ssh/authorized_keys file on the server, we can copy that file and directory structure to our new user account in our current session with the cp command. After that, we can set the ownership of the files using the chown command.
Make sure to change the highlighted parts of the command below to match your regular username:
cp -r ~/.ssh /home/sammy
chown -R sammy:sammy /home/sammy/.sshThe cp -r command copies the entire directory to the new user's home directory, and the chown -R command changes the owner of that directory (and everything inside it) to the specified username: group name (Debian creates a group with the same name. Your username by default).
Now, open a new terminal session and log in via SSH with your new username:
ssh sammy@your_server_ipYou should log in to the new account without using a password. Remember, if you need to run a command with administrative privileges, type sudo before it, as follows:
sudo command_to_runWhen using sudo for the first time in any session (and periodically thereafter), you will be prompted to enter your regular user password.
Result
At this point, you have a solid foundation for your server. You can now install any software you need on your server.
