Let’s say you have a couple of Docker containers that run your favorite applications. You’d like to deploy these to some random server on the interwebs, so you lock down your Ubuntu server using the default UFW firewall, launch your containers and start using your applications.

You run ufw status to make sure that everything’s locked down the way it should be. Good to go! Or?

Not necessarily. You may be exposing your Docker applications to the whole world without even knowing it. There’s a long-running issue on Github explaining why. Here’s the short version: Docker is manipulating the iptables rules behind the scenes, while UFW tells you everything’s fine. Luckily, the solution is simple. Add this snippet to the file /etc/docker/daemon.json and restart Docker:

For a Docker or DevOps expert, this is probably common knowledge. For many developers and hobby server maintainers, it’s probably not. Have this in mind when deploying Docker applications to a server that is accessible to the world.

Don’t expose your Docker ports

This short guide is basically just a reminder to myself, where most of the content is based on Digital Ocean’s Initial Server Setup with Ubuntu 16.04 and my own memory.

Disclaimer: This short guide is basically just a reminder to myself, where most of the content is based on Digital Ocean’s Initial Server Setup with Ubuntu 16.04 and my own memory. There are some important steps that aren’t included in this guide. If you’re new to Linux or Ubuntu, I suggest that you read Digital Ocean’s guide instead.

All commands in this guide (unless otherwise stated) assume you are currently logged in as root.

We don’t want to use the root user when logging in to our server, so we need to create a new user.

If you’re only using keys to log in to your server (which you should), you can choose to not create a password for the new user using the --disabled-password option. Please note that you’ll be unable to use sudo with this user unless you also perform the steps in this post.

Our newly created user will typically need root privileges:

Now, if you want this user to be able to use sudo without the need for a password, here’s how to accomplish this.

At this point we’re ready to copy the public keys to the newly created user’s .ssh folder. I won’t cover all the details of this process in this guide. Please refer to the previously mentioned Digital Ocean guide if you’re uncertain of how to do this.

We will need to set the correct permissions:

Note: These commands assume you are logged in as your newly created user.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Also make sure that these files are owned by the user we just created.

On new Digital Ocean droplets, this step is usually already done when creating the droplet. Just to make sure, we’ll check to see if the file /etc/ssh/sshd_config contains the following lines and that none of them are commented out:

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

If you did any changes, reload the SSH daemon:

Note: Try connecting to your server in a separate tab/window before disconnecting.

We need to make sure that our server doesn’t expose unnecessary ports and protocols, so lets configure UFW in the most basic way possible:

Note: At this point you should once more verify that you’re able to log in to your server.

This concludes this short guide on how to perform the initial steps when creating a new Ubuntu (16.04) server.

Basic server setup (Ubuntu)

Disabling the password needed for sudo for a specific user is very easy in Ubuntu. This method applies to Ubuntu 16.04, but probably also other versions of Ubuntu and maybe even other distros.

Note: If this is the first time you’re running this command, you’ll most likely be presented with a list of editors to choose from. Choose the one you’re most comfortable with.

Then enter the following line at the end of the file:

Make sure to replace user with the username of the user you want to allow using sudo without entering a password.

Disabling password for sudo in Ubuntu

Occasionally I write something. It'll end up here.