How to set up a new Ubuntu server: add Non Root User, SSH Key, and UFW Firewall

Learn how to create a non root user, grant administrative privileges, configure a basic firewall, and transfer SSH access, ensuring your Ubuntu server is secure and ready for further deployment.

Key points to consider:

A fresh Ubuntu server allows root login by default, which poses a security risk. Creating a new non root user helps reduce attack surface.
Granting administrative privileges using the sudo group lets the new user to perform root level tasks without logging in as root.
SSH keys provide more secure and reliable authentication than passwords. You can copy your public key from the root user to the new user's profile for seamless login.
Configuring a basic firewall with ufw helps restrict access to essential services, like SSH, and adds an extra layer of protection.
These steps form the foundation for all future configurations, such as installing web servers, Docker, or other production tools.
Always keep your current SSH session open until you confirm that your new user can log in and access the server. This prevents accidental lockout.

Introduction

When you first deploy a new Ubuntu server, it usually comes with root access enabled and minimal security measures in place. While this configuration allows immediate administrative control, it also exposes your server to unnecessary risk. Performing a few initial setup steps helps ensure your system is secure, maintainable, and ready for future deployment tasks.

The initial setup process focuses on core administrative foundations: creating a non root user, assigning proper privileges, setting up a firewall, and configuring secure SSH access. These steps are critical whether you plan to host a website, run Docker containers, or install a LAMP stack. Without this groundwork, your server remains vulnerable and difficult to scale securely.

In this tutorial, you will learn how to:

Add a new user account with restricted but expandable privileges.
Grant administrative rights using the sudo group.
Enable secure access by copying your existing SSH key to the new user.
Set up a basic firewall using ufw to allow only essential services.

Step-by-Step Instructions

Step 1: Update the system and create a new administrative user

When deploying a new Ubuntu server for the first time, the default access is provided through the root account. While the root user has full privileges to manage the system, it is not recommended to use this account for daily operations due to security risks. The best practice is to immediately update the system and create a new, unprivileged user with sudo access.

Connect to your server using SSH
Begin by connecting to your server from your local machine using SSH. This will require the servers public IP address and the root user credentials provided in your Cherry Servers
client portal. Use the following command to connect:
```
$ ssh root@your_server_ip
```
Replace your_server_ip with the actual IP address of your Ubuntu server. You will be prompted to accept the host key and enter the root password or use your private key if it has already been configured (see Fig. 1).

Fig. 1. First time SSH connection to a new server. The system asks to confirm the servers authenticity and stores its fingerprint in the known hosts list.

If you are unfamiliar with SSH access or encounter problems such as authentication issues or timeouts, we recommend reviewing the following Cherry Servers documentation for detailed instructions:
- How to connect to a Linux server using SSH
- How to connect to your server and troubleshoot access issues
Update and upgrade the system
Once connected to the server, the first thing you should do is update the package index and upgrade the system packages. This ensures that all installed software is up to date and includes the latest security patches. Run the following command:
```
$ sudo apt update && apt upgrade -y
```
- apt update fetches the latest list of available packages and versions.
- apt upgrade -y installs the updated versions for all currently installed packages without requiring manual confirmation (-y flag).
Create a new non root user
Instead of continuing to operate as root, it is best to create a separate user account. This helps isolate critical system commands from daily use and enables better auditing and access control. To create a new user, run:
```
$ adduser cherry
```
Replace cherry with the name you want for your administrative user. The system will prompt you to create a password and optionally provide additional user information such as full name or contact details (see Fig. 2). These can be left blank if desired. Note that this user does not have administrative privileges yet.

Fig. 2. Creating a new user with adduser. You will be prompted to set a password and optionally provide user details before confirming the creation.
Grant administrative privileges to the new user
To give the newly created user permission to run administrative commands (such as apt, reboot, or system configuration tools), you must add them to the sudo group:
```
$ usermod -aG sudo cherry
```
- usermod - modifies user account settings.
- -aG - appends the user to a group (without removing them from other groups).
- sudo - the group that grants administrative privileges.
This command ensures the user is added to the systems list of users allowed to elevate their privileges using the sudo command. These elevated commands will still require the users password to execute, providing a layer of accountability and control.
Verify the group membership
To confirm that the user was successfully added to the sudo group, use the groups command:
```
$ groups cherry
```
You should see output similar to (see Fig. 3):
```
cherry : cherry sudo users
```
Fig. 3. Confirming that the user cherry belongs to the sudo group, which grants administrative privileges, along with users and their primary group.
This confirms the user belongs to both their personal group and the sudo group.

Note: the new group membership takes effect upon the users next login. If you are currently logged in as the new user in a separate session, log out and log back in to gain sudo privileges.

Step 2: Set up SSH key based authentication for the new user

After creating a new user with administrative privileges, the next step is to enable secure, password less login using SSH key authentication. This is a more secure alternative to password-based access and is considered a best practice for managing remote servers.

Copy your public SSH key to the new user:

Option A: use rsync (recommended when logged in as root):
If your public key is already installed for the root user, you can simply copy it to the new users home directory so that you can log in without entering a password every time. Run the following command as root to copy the SSH configuration from the root account to your new user (replace cherry with your actual username):
```
$ rsync --archive --chown=cherry:cherry ~/.ssh /home/cherry
```
This command does the following:
- rsync --archive preserves file permissions and timestamps during the copy.
- --chown=cherry:cherry changes the ownership of the .ssh directory and its contents to the new user.
- ~/.ssh is the source directory from the root account.
- /home/cherry is the target location for the new user.
Option B: Use ssh-copy-id (simpler method from your local machine)
If your public key is on your local system, you can directly copy it to the new user using this command (this method requires that password based login is temporarily allowed on the server.):
```
$ ssh-copy-id cherry@your_server_ip
```
This command will:
- Connect to the server via SSH.
- Append your local public key (usually ~/.ssh/id_rsa.pub) to the remote users ~/.ssh/authorized_keys file.
- Prompt for the password once and then enable key-based login going forward.
Once completed, the new user will be able to log in using the same SSH private key used for the root account.
Note: if you have not generated an SSH key pair yet or need help adding it to the Cherry Servers client portal, refer to this tutorial - how do you generate and add an SSH key to the Cherry Servers client portal?
Test the login with your new user
Now that the key has been copied, test logging in as the new user from your local machine:
```
$ ssh cherry@your_server_ip
```
Replace cherry with your chosen username and your_server_ip with your server's actual public IP address. If everything was configured correctly, you should be able to log in without being prompted for a password.

Step 3: Set up a basic firewall with UFW

To improve your server's security posture, it is essential to configure a firewall. A firewall helps control incoming and outgoing traffic based on predefined rules, helping to reduce exposure to unauthorized access. On Ubuntu systems, the recommended tool is UFW (Uncomplicated Firewall), a simple and effective interface for managing iptables.

Check if UFW is installed
Most modern Ubuntu installations come with UFW preinstalled. You can check if it is present by running:
```
$ sudo ufw status
```
If the output is something like Status: inactive (see Fig. 4), UFW is installed but not yet enabled. If the command is not recognized, install it with:
```
$ sudo apt install ufw -y
```
Fig. 4. Checking UFW status before enabling. The firewall is installed but currently inactive, meaning no rules are being enforced.
Allow essential services
Before enabling the firewall, you need to explicitly allow any services that should n accessible. Since you are working via SSH, you must permit SSH traffic on the port you are using (default is port 22 unless you have configured a custom port):
```
$ sudo ufw allow OpenSSH
```
Alternatively, if your SSH service is running on a non default port (e.g., 2222), you should allow that port directly:
```
$ sudo ufw allow 2222/tcp
```
Only after allowing SSH should you proceed to enable UFW, otherwise, you may lock yourself out.
Enable the firewall
To activate UFW and enforce the rules:
```
$ sudo ufw enable
```
You will be prompted to confirm. Type y and press Enter (see Fig. 5). Once enabled, UFW will automatically apply on every reboot.

Fig. 5. Enabling the UFW firewall. The system warns that SSH connections may be affected. After confirmation, the firewall becomes active and is configured to start on boot.
Verify firewall status and rules
To confirm UFW is active and verify which rules are in place, use:
```
$ sudo ufw status verbose
```
You should see output listing the allowed ports, such as (see Fig. 6):

Fig. 6. UFW verbose status output. The firewall is active, with default policies set to deny incoming and allow outgoing traffic. SSH (port 22) is explicitly allowed for both IPv4 and IPv6.

This confirms that your firewall is active and permitting SSH access.
Additional recommendations
- To allow other services in the future (e.g., HTTP, HTTPS), you can run:
```
$ sudo ufw allow http
```
```
$ sudo ufw allow http
```
- If you want to disable UFW temporarily:
```
$ sudo ufw disable
```
- You can reset UFW to its default state with:
```
$ sudo ufw reset
```

Note: UFW is not required for your server to function, but it is considered a best practice and essential for reducing the attack surface, especially on public facing servers.

Step 4: Disable root login via SSH (optional)

For enhanced security, it is highly recommended to disable direct SSH login as the root user once your new user has administrative privileges and SSH key access. This prevents attackers from targeting the default root account, which is a common target of brute force attempts.

Open the SSH daemon configuration file
Use a text editor like nano to open the SSH configuration:
```
$ sudo nano /etc/ssh/sshd_config
```
Locate the following line (usually near the bottom):
```
PermitRootLogin yes
```
Change its value to:
```
PermitRootLogin no
```
This change ensures that no one, not even with the correct password or SSH key, can log in as root over SSH. If you need to perform administrative tasks, you can do so using sudo from your non root account.
Restart the SSH service
For the changes to take effect, restart the SSH daemon:
```
$ sudo systemctl restart ssh
```
Confirm the configuration was applied
You can verify that the SSH daemon has the setting active using the following command:
```
$ sudo sshd -T | grep permitrootlogin
```
The output should show:
```
permitrootlogin no
```
This confirms the SSH server is enforcing the new restriction and will no longer accept root logins.

Summary

Setting up a new Ubuntu server securely and efficiently is a crucial first step before deploying any applications or services. In this tutorial, you learned how to connect to your server for the first time and perform several foundational configuration tasks that improve both security and manageability.

By creating a dedicated non root user and assigning administrative privileges through the sudo group, you reduce the risk associated with direct root access while still retaining full control of the system. Copying your SSH key to the new user account enables secure, passwordless authentication, which is far more resistant to brute force attacks than traditional login methods.

Configuring a firewall with UFW further strengthens your servers defense by restricting access to only essential services. Optionally disabling root login via SSH adds another layer of protection against automated intrusion attempts.

These initial setup steps are recommended for any production server and form a reliable baseline for deploying software stacks like LAMP, Docker, or Kubernetes. With this groundwork in place, your Ubuntu server is now secure, maintainable, and ready for future deployment tasks.