WP-envsetup

1. Update the server:
apt-get update

apt-get upgrade

apt full-upgrade

2. Add SSH key:

mkdir ~/.ssh && touch ~/.ssh/authorized_keys

chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

Open that file authorized_keys (located in /root/.ssh/). Then add the public key into the file. Save it.

Now go to /etc/ssh/ , open sshd_config.

Uncomment/Change PubkeyAuthentication to Yes, AuthorizedKeysFile, PasswordAuthentication to No.

Also, change SSH Port to 2222 (or any port you want).

Restart SSH service:

service sshd restart

3. Setup UFW Firewall
UFW Firewall is often installed by default on Ubuntu, you can check that with this command:

ufw status

Now you have to make UFW Firewall allow all outgoing connections and deny all incoming connections by default. Later you will choose which connections to be allowed, then turn on the firewall.

If your SSH port is the default 22:

ufw allow ssh

If your SSH port has been changed (2222, for example):

ufw allow 2222

ufw allow 80/tcp

ufw allow 443/tcp

ufw logging on

Now enable the firewall:

echo "y" | ufw enable

You can re-check the firewall rules with:

ufw status verbose

4. Install fail2ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally, Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box, Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

The default fail2ban options are good enough, no need further configurations. If you want other features, read this tutorial by DigitalOcean.

Install fail2ban:

apt-get install fail2ban

5. Install Google Authenticator
Install Google Authenticator on Ubuntu:

apt-get install libpam-google-authenticato

google-authenticator

Answer any prompts within the script.

Now open sshd in this directory /etc/pam.d/ and add this below the last line:

auth required pam_google_authenticator.so

Open sshd_config in /etc/ssh/, change ChallengeResponseAuthentication to Yes.

Add this below the last line:

AuthenticationMethods publickey,password publickey,keyboard-interactive

Open file sshd in /etc/pam.d/, comment out @include common-auth to #@include common-auth (add #).

Restart ssh service:

service ssh restart

6. Change Timezone:
dpkg-reconfigure tzdata

Choose the correct timezone, then set NTP on:

timedatectl set-ntp on

Re-check with this command:

timedatectl

7. Automatically backup server with EasyEngine v4
I will create a cronjob for Rclone to automatically back up my server, including files and database.

First, install Rclone. This is for Linux 64bit:

cd /root/

wget https://downloads.rclone.org/v1.42/rclone-v1.42-linux-amd64.zip

unzip rclone-v*.zip

\cp rclone-v*-linux-amd64/rclone /usr/sbin/

rm -rf rclone-*

Now type in the console:

rclone config

Choose n to create a new remote. Set remote for remote’s name.

Choose 11 for Google Drive.

Leave blank for Client ID and Client Secret.

Choose 1 for Scope that rclone should use when requesting access from drive.

Leave blank for ID of the root folder and Service Account Credentials JSON file path.

Choose n for Use auto config?