Initial Server Setup on Ubuntu 26.04
A fresh Ubuntu 26.04 server ships with root SSH access, no regular user, and no firewall rules. That works for the first login, but it is not a safe state to leave running on a public VPS.
This guide walks through the first tasks to perform on a new Ubuntu 26.04 server: creating a sudo user, enabling SSH key authentication, locking down SSH, configuring UFW, setting the hostname and timezone, and applying package updates.
Quick Reference
| Task | Command or file |
|---|---|
| Log in as root | ssh root@server_ip_address |
| Create a user | adduser username |
| Grant sudo access | usermod -aG sudo username |
| Copy root SSH keys | rsync --archive --chown=username:username /root/.ssh /home/username |
| Add a local key | ssh-copy-id username@server_ip_address |
| SSH hardening file | /etc/ssh/sshd_config.d/99-hardening.conf |
| Test SSH config | sudo sshd -t |
| Allow SSH in UFW | sudo ufw allow OpenSSH |
| Set hostname | sudo hostnamectl set-hostname server-name |
| Set timezone | sudo timedatectl set-timezone Europe/Berlin |
Prerequisites
Before starting, make sure you have:
- A new Ubuntu 26.04 server with a public IP address.
- Root access over SSH, either with a password or a provider-supplied key.
- A local SSH key pair on your workstation. If you do not have one yet, see how to generate SSH keys on Linux .
- Access to the provider web console as a backup path in case SSH access stops working.
Keep your original root SSH session open until you have tested the new user login and the hardened SSH configuration.
Log In as Root
Open a terminal on your local machine and connect to the server using the public IP address from your hosting provider:
ssh root@server_ip_addressAccept the host key when prompted and enter the root password if password authentication is still enabled. If your provider created the server with an SSH key, the connection should use that key automatically.
Create a New Sudo User
Working as root for daily administration is risky because every command runs with full privileges. Create a regular user account and give it administrative access through the sudo group.
Replace username with the account name you want to use:
adduser usernameThe command prompts for a password and optional user details. Enter a strong password, then press Enter to skip any fields you do not need.
Add the new user to the sudo group:
usermod -aG sudo usernameThe account can now run administrative commands with sudo.
Set Up SSH Key Authentication
SSH keys are safer than password logins and are easier to use once configured. The exact command depends on where your public key is currently stored.
If your public key is already present under the root account, copy the root SSH directory to the new user:
rsync --archive --chown=username:username /root/.ssh /home/usernameIf you need to copy a key from your local workstation, run this command from the local machine:
ssh-copy-id username@server_ip_addressOpen a new terminal window and test the login before changing the SSH server configuration:
ssh username@server_ip_addressThe connection should succeed as the new user. Keep both the root session and the new user session open while you continue.
Disable Root Login and Password Authentication
After key-based login works, configure OpenSSH to reject direct root logins and password authentication. Ubuntu includes files from /etc/ssh/sshd_config.d/, which keeps local changes separate from the main SSH configuration file.
Create a hardening snippet:
sudo nano /etc/ssh/sshd_config.d/99-hardening.confAdd the following lines:
PermitRootLogin no
PasswordAuthentication noSave the file and test the SSH configuration syntax:
sudo sshd -tIf the command prints no output, the configuration is valid. Reload SSH to apply the change:
sudo systemctl reload sshOpen another terminal and confirm that you can still log in as the regular user:
ssh username@server_ip_addressDo not close your existing sessions until this test succeeds.
Set Up the Firewall with UFW
Ubuntu uses UFW (Uncomplicated Firewall) as a simple front-end for managing host firewall rules. Start by allowing SSH so the firewall does not block your current access:
sudo ufw allow OpenSSHEnable the firewall:
sudo ufw enableConfirm the prompt with y, then check the active rules:
sudo ufw statusThe output should show that OpenSSH is allowed:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)When you install services such as Nginx or Apache, open their profiles before expecting traffic to reach them. For example, an Nginx server that should accept HTTP and HTTPS traffic needs:
sudo ufw allow 'Nginx Full'For more examples, see how to set up a firewall with UFW .
Set the Hostname
A descriptive hostname makes logs, shell prompts, monitoring alerts, and dashboards easier to read. Set the hostname with hostnamectl:
sudo hostnamectl set-hostname server-nameReplace server-name with a short name that matches the server role, such as web-01 or db-01.
Check the result:
hostnamectlYou can update DNS records or your local SSH config separately if you want to connect by name instead of IP address.
Set the Timezone
Set the server timezone so logs, cron jobs, and timestamps match the region you use for operations:
sudo timedatectl set-timezone Europe/BerlinList available zones if you are unsure of the exact name:
timedatectl list-timezonesSee how to set or change the timezone on Ubuntu for a deeper explanation.
Update the System
Refresh the package index and install pending updates:
sudo apt update
sudo apt upgradeIf the upgrade installed a new kernel or core system libraries, reboot the server:
sudo rebootAfter the reboot, reconnect as the regular sudo user:
ssh username@server_ip_addressTroubleshooting
Locked out after disabling password authentication
Use your provider web console or recovery mode to log in. Edit /etc/ssh/sshd_config.d/99-hardening.conf, temporarily set PasswordAuthentication yes, run sudo sshd -t, reload SSH, and test key login again before disabling passwords.
usermod: group 'sudo' does not exist
Some minimal images may not include the sudo package. Install it with apt install sudo, then rerun usermod -aG sudo username.
sshd -t reports an error
Read the line number in the error message, fix the snippet in /etc/ssh/sshd_config.d/99-hardening.conf, and run sudo sshd -t again. Do not reload SSH until the syntax test passes.
UFW blocks an expected service
Check the active rules with sudo ufw status. Allow the needed service profile or port, such as sudo ufw allow 'Nginx Full' for Nginx web traffic, then test the connection again.
Conclusion
You now have an Ubuntu 26.04 server with a sudo user, key-based SSH access, direct root logins disabled, a basic firewall, and current packages. A good next step is to enable automatic security updates before installing the rest of your stack.
Linuxize Weekly Newsletter
A quick weekly roundup of new tutorials, news, and tips.
About the authors
Dejan Panovski
Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.
View author page