Learn how to create a non root user, grant administrative privileges, configure a basic firewall, and transfer SSH access, ensuring your Ubuntu server is secure and ready for further deployment.
Key points to consider:
-
A fresh Ubuntu server allows root login by default, which poses a security risk. Creating a new non root user helps reduce attack surface.
-
Granting administrative privileges using the
sudo
group lets the new user to perform root level tasks without logging in as root. -
SSH keys provide more secure and reliable authentication than passwords. You can copy your public key from the root user to the new user's profile for seamless login.
-
Configuring a basic firewall with
ufw
helps restrict access to essential services, like SSH, and adds an extra layer of protection. -
These steps form the foundation for all future configurations, such as installing web servers, Docker, or other production tools.
-
Always keep your current SSH session open until you confirm that your new user can log in and access the server. This prevents accidental lockout.
Introduction
When you first deploy a new Ubuntu server, it usually comes with root access enabled and minimal security measures in place. While this configuration allows immediate administrative control, it also exposes your server to unnecessary risk. Performing a few initial setup steps helps ensure your system is secure, maintainable, and ready for future deployment tasks.
The initial setup process focuses on core administrative foundations: creating a non root user, assigning proper privileges, setting up a firewall, and configuring secure SSH access. These steps are critical whether you plan to host a website, run Docker containers, or install a LAMP stack. Without this groundwork, your server remains vulnerable and difficult to scale securely.
In this tutorial, you will learn how to:
-
Add a new user account with restricted but expandable privileges.
-
Grant administrative rights using the
sudo
group. -
Enable secure access by copying your existing SSH key to the new user.
-
Set up a basic firewall using
ufw
to allow only essential services.
Step-by-Step Instructions
Step 1: Update the system and create a new administrative user
When deploying a new Ubuntu server for the first time, the default access is provided through the root account. While the root user has full privileges to manage the system, it is not recommended to use this account for daily operations due to security risks. The best practice is to immediately update the system and create a new, unprivileged user with sudo
access.
- Connect to your server using SSH
Begin by connecting to your server from your local machine using SSH. This will require the servers public IP address and the root user credentials provided in your Cherry Servers
client portal. Use the following command to connect:
$ ssh root@your_server_ip
Replaceyour_server_ip
with the actual IP address of your Ubuntu server. You will be prompted to accept the host key and enter the root password or use your private key if it has already been configured (see Fig. 1).
Fig. 1. First time SSH connection to a new server. The system asks to confirm the servers authenticity and stores its fingerprint in the known hosts list.
If you are unfamiliar with SSH access or encounter problems such as authentication issues or timeouts, we recommend reviewing the following Cherry Servers documentation for detailed instructions:
- Update and upgrade the system
Once connected to the server, the first thing you should do is update the package index and upgrade the system packages. This ensures that all installed software is up to date and includes the latest security patches. Run the following command:
$ sudo apt update && apt upgrade -y
apt update
fetches the latest list of available packages and versions.apt upgrade -y
installs the updated versions for all currently installed packages without requiring manual confirmation (-y
flag).
- Create a new non root user
Instead of continuing to operate asroot
, it is best to create a separate user account. This helps isolate critical system commands from daily use and enables better auditing and access control. To create a new user, run:
$ adduser cherry
Replacecherry
with the name you want for your administrative user. The system will prompt you to create a password and optionally provide additional user information such as full name or contact details (see Fig. 2). These can be left blank if desired. Note that this user does not have administrative privileges yet.
Fig. 2. Creating a new user with adduser. You will be prompted to set a password and optionally provide user details before confirming the creation. - Grant administrative privileges to the new user
To give the newly created user permission to run administrative commands (such asapt
,reboot
, or system configuration tools), you must add them to thesudo
group:
$ usermod -aG sudo cherry
usermod
- modifies user account settings.-aG
- appends the user to a group (without removing them from other groups).sudo
- the group that grants administrative privileges.
- Verify the group membership
To confirm that the user was successfully added to thesudo
group, use thegroups
command:
$ groups cherry
You should see output similar to (see Fig. 3):
cherry : cherry sudo users
Fig. 3. Confirming that the user cherry belongs to the sudo group, which grants administrative privileges, along with users and their primary group.
This confirms the user belongs to both their personal group and thesudo
group.
Note: the new group membership takes effect upon the users next login. If you are currently logged in as the new user in a separate session, log out and log back in to gain sudo
privileges.
Step 2: Set up SSH key based authentication for the new user
After creating a new user with administrative privileges, the next step is to enable secure, password less login using SSH key authentication. This is a more secure alternative to password-based access and is considered a best practice for managing remote servers.
- Copy your public SSH key to the new user:
Option A: usersync
(recommended when logged in asroot
):
If your public key is already installed for theroot
user, you can simply copy it to the new users home directory so that you can log in without entering a password every time. Run the following command asroot
to copy the SSH configuration from the root account to your new user (replacecherry
with your actual username):
$ rsync --archive --chown=cherry:cherry ~/.ssh /home/cherry
This command does the following:rsync --archive
preserves file permissions and timestamps during the copy.--chown=cherry:cherry
changes the ownership of the.ssh
directory and its contents to the new user.~/.ssh
is the source directory from the root account./home/cherry
is the target location for the new user.
ssh-copy-id
(simpler method from your local machine)
If your public key is on your local system, you can directly copy it to the new user using this command (this method requires that password based login is temporarily allowed on the server.):
$ ssh-copy-id cherry@your_server_ip
This command will:
- Connect to the server via SSH.
- Append your local public key (usually
~/.ssh/id_rsa.pub
) to the remote users~/.ssh/authorized_keys
file. - Prompt for the password once and then enable key-based login going forward.
Note: if you have not generated an SSH key pair yet or need help adding it to the Cherry Servers client portal, refer to this tutorial - how do you generate and add an SSH key to the Cherry Servers client portal? - Test the login with your new user
Now that the key has been copied, test logging in as the new user from your local machine:
$ ssh cherry@your_server_ip
Replacecherry
with your chosen username andyour_server_ip
with your server's actual public IP address. If everything was configured correctly, you should be able to log in without being prompted for a password.
Step 3: Set up a basic firewall with UFW
To improve your server's security posture, it is essential to configure a firewall. A firewall helps control incoming and outgoing traffic based on predefined rules, helping to reduce exposure to unauthorized access. On Ubuntu systems, the recommended tool is UFW (Uncomplicated Firewall), a simple and effective interface for managing iptables.
- Check if UFW is installed
Most modern Ubuntu installations come with UFW preinstalled. You can check if it is present by running:$ sudo ufw status
If the output is something likeStatus: inactive
(see Fig. 4), UFW is installed but not yet enabled. If the command is not recognized, install it with:
$ sudo apt install ufw -y
Fig. 4. Checking UFW status before enabling. The firewall is installed but currently inactive, meaning no rules are being enforced. - Allow essential services
Before enabling the firewall, you need to explicitly allow any services that should n accessible. Since you are working via SSH, you must permit SSH traffic on the port you are using (default is port 22 unless you have configured a custom port):
$ sudo ufw allow OpenSSH
Alternatively, if your SSH service is running on a non default port (e.g., 2222), you should allow that port directly:
$ sudo ufw allow 2222/tcp
Only after allowing SSH should you proceed to enable UFW, otherwise, you may lock yourself out. - Enable the firewall
To activate UFW and enforce the rules:
$ sudo ufw enable
You will be prompted to confirm. Typey
and pressEnter
(see Fig. 5). Once enabled, UFW will automatically apply on every reboot.
Fig. 5. Enabling the UFW firewall. The system warns that SSH connections may be affected. After confirmation, the firewall becomes active and is configured to start on boot. - Verify firewall status and rules
To confirm UFW is active and verify which rules are in place, use:
$ sudo ufw status verbose
You should see output listing the allowed ports, such as (see Fig. 6):
Fig. 6. UFW verbose status output. The firewall is active, with default policies set to deny incoming and allow outgoing traffic. SSH (port 22) is explicitly allowed for both IPv4 and IPv6.
This confirms that your firewall is active and permitting SSH access. - Additional recommendations
- To allow other services in the future (e.g., HTTP, HTTPS), you can run:
$ sudo ufw allow http
$ sudo ufw allow http
- If you want to disable UFW temporarily:
$ sudo ufw disable
- You can reset UFW to its default state with:
$ sudo ufw reset
- To allow other services in the future (e.g., HTTP, HTTPS), you can run:
Note: UFW is not required for your server to function, but it is considered a best practice and essential for reducing the attack surface, especially on public facing servers.
Step 4: Disable root login via SSH (optional)
For enhanced security, it is highly recommended to disable direct SSH login as the root
user once your new user has administrative privileges and SSH key access. This prevents attackers from targeting the default root account, which is a common target of brute force attempts.
- Open the SSH daemon configuration file
Use a text editor likenano
to open the SSH configuration:
$ sudo nano /etc/ssh/sshd_config
Locate the following line (usually near the bottom):
PermitRootLogin yes
Change its value to:PermitRootLogin no
This change ensures that no one, not even with the correct password or SSH key, can log in asroot
over SSH. If you need to perform administrative tasks, you can do so usingsudo
from your non root account. - Restart the SSH service
For the changes to take effect, restart the SSH daemon:
$ sudo systemctl restart ssh
- Confirm the configuration was applied
You can verify that the SSH daemon has the setting active using the following command:
$ sudo sshd -T | grep permitrootlogin
The output should show:
permitrootlogin no
This confirms the SSH server is enforcing the new restriction and will no longer accept root logins.
Summary
Setting up a new Ubuntu server securely and efficiently is a crucial first step before deploying any applications or services. In this tutorial, you learned how to connect to your server for the first time and perform several foundational configuration tasks that improve both security and manageability.
By creating a dedicated non root user and assigning administrative privileges through the sudo
group, you reduce the risk associated with direct root access while still retaining full control of the system. Copying your SSH key to the new user account enables secure, passwordless authentication, which is far more resistant to brute force attacks than traditional login methods.
Configuring a firewall with UFW further strengthens your servers defense by restricting access to only essential services. Optionally disabling root login via SSH adds another layer of protection against automated intrusion attempts.
These initial setup steps are recommended for any production server and form a reliable baseline for deploying software stacks like LAMP, Docker, or Kubernetes. With this groundwork in place, your Ubuntu server is now secure, maintainable, and ready for future deployment tasks.