This guide covers the most important tasks for running Ubuntu Server 26.04 LTS Resolute Raccoon – from first login through user management, firewall setup, SSH hardening, web servers, and databases. It is based on Canonical’s official Ubuntu Server documentation. If you are still on the download and install step, see the Ubuntu Server 26.04 download and install guide first.
Complete Administration Manual
Everything you need to set up, secure, and run a production-ready Ubuntu Server. Packages, users, firewall, SSH, web servers, databases – all in one place.
Download This Manual as PDF, EPUB, MOBI and More
Take this manual offline. Available in multiple formats – choose the one that works best for your device or workflow.
Package Management with APT
APT (Advanced Package Tool) is how you install, update, and remove software on Ubuntu Server. Every package management task starts here.
sudo apt update
This refreshes the local package database. It does not install anything. Run this before any install or upgrade.
sudo apt upgrade -y
Installs all available updates for packages already on your system. The -y flag skips the confirmation prompt.
sudo apt install package-name
Replace package-name with what you want to install. APT will resolve dependencies automatically.
sudo apt remove package-name sudo apt purge package-name
remove uninstalls the package but keeps config files. purge removes the package and all its config files. Use purge when you want a clean slate.
sudo apt autoremove
After removing a package, its dependencies may still be installed. This cleans them up. Run it periodically to keep the system tidy.
apt search keyword apt show package-name
apt search lists matching packages. apt show gives you the description, version, and dependencies for a specific package before you install it.
User Management
Controlling who can log in and what they can do is a core part of server security. Ubuntu Server 26.04 uses sudo-rs by default – a memory-safe Rust rewrite of sudo – but all commands work identically to classic sudo.
sudo adduser username
This creates the user, sets a password, and creates a home directory at /home/username. Home directories on Ubuntu 26.04 are private (0750 permissions) by default.
sudo usermod -aG sudo username
Adds the user to the sudo group. They will be able to run commands with elevated privileges using sudo. The change takes effect at their next login.
cat /etc/passwd | cut -d : -f 1,3 | grep -E ':[0-9]{4,}'
This filters out system accounts and shows only real human users (UID 1000 and above). The full /etc/passwd file lists every user including system accounts.
sudo deluser username sudo deluser --remove-home username
The first command removes the account but keeps the home directory. Add --remove-home to delete it too. If you keep the folder, reassign its ownership to root to prevent future UID conflicts.
sudo chage -M 90 -m 5 -W 14 username
Sets a 90-day maximum password age, 5-day minimum, and a 14-day warning before expiry. Run sudo chage -l username to view current policy for a user.
UFW Firewall
UFW (Uncomplicated Firewall) is the default firewall tool on Ubuntu Server. It wraps iptables with a simpler command interface. Always allow SSH before enabling UFW – otherwise you will lock yourself out of a remote server.
sudo ufw allow OpenSSH before sudo ufw enable. Enabling UFW without allowing SSH will immediately drop your connection and lock you out.sudo ufw allow OpenSSH sudo ufw enable sudo ufw status
Allow SSH first, then enable. The status command shows all active rules and whether UFW is running.
sudo ufw allow 80 # HTTP sudo ufw allow 443 # HTTPS sudo ufw allow 3306 # MySQL sudo ufw allow 5432 # PostgreSQL
Open ports by number, or use named services like http and https. Only open what you actually need.
sudo ufw allow from 203.0.113.10 to any port 22
Restricts SSH access to a single IP address. Replace 203.0.113.10 with your actual IP. This is one of the most effective ways to protect SSH.
sudo ufw status numbered sudo ufw delete 2
List rules with numbers first, then delete by number. This is safer than trying to delete by rule text.
sudo ufw --dry-run allow http
Shows exactly what iptables rules would be created without actually applying them. Useful for checking your changes before committing.
Some packages register UFW application profiles – named sets of ports for that service. To see them:
sudo ufw app list sudo ufw allow 'Apache Full' sudo ufw allow 'Nginx Full'
SSH Hardening
SSH is almost certainly the primary way you access your server. Securing it properly is not optional. The following steps cover the most impactful hardening measures, all from the official Ubuntu documentation.
ssh-keygen -t ed25519 -C "your-label"
Ed25519 is the recommended key type – it is faster and more secure than RSA. Run this on your local machine, not the server. It creates a public/private key pair.
ssh-copy-id username@server-ip
This adds your public key to ~/.ssh/authorized_keys on the server. After this step, you can log in without a password.
sudo nano /etc/ssh/sshd_config
Open the SSH server config file and make these changes:
| Setting | Change to | Why |
|---|---|---|
| PermitRootLogin | no | Root login is a primary attack target. Always disable it and use a regular user with sudo instead. |
| PasswordAuthentication | no | Disables password login entirely. Only SSH key login works. Set this only after your key is working. |
| PubkeyAuthentication | yes | Confirms that public key authentication is enabled. This should already be yes by default. |
| X11Forwarding | no | Disables graphical forwarding. Not needed on a headless server and reduces the attack surface. |
| AllowGroups | sshlogin | Restricts SSH login to users in the sshlogin group. Create the group and add users explicitly. |
sudo systemctl restart ssh
Do not close your current SSH session until you have confirmed login works in a new terminal window. If you lock yourself out, you will need console access to fix it.
AppArmor
AppArmor is Ubuntu’s mandatory access control system. It limits what individual programs can do – which files they can read, which network ports they can use, and what system calls they can make. It is enabled by default on Ubuntu Server 26.04.
sudo apparmor_status
Shows all loaded profiles and whether each one is in enforce or complain mode. Enforce mode blocks violations. Complain mode logs them but allows them through.
sudo aa-complain /path/to/binary
Use complain mode to see what a program is doing without blocking it. Check dmesg or journal logs to see what would have been denied.
sudo aa-enforce /path/to/binary
Puts the profile back into enforce mode. Leave all profiles in enforce mode on production servers unless you are actively debugging something.
AppArmor profiles live in /etc/apparmor.d/. If you install a package that has a known profile, it will appear here automatically. You should not need to modify these unless you are running a custom application or a non-standard configuration.
AMD64 and ARM64 ISOs, SHA256 verification, and a step-by-step install walkthrough.
Web Servers – Apache2 and Nginx
Ubuntu Server 26.04 fully supports both Apache2 and Nginx. They serve different purposes and you only need one for most setups. Install the one that fits your use case.
Best for: Traditional web hosting, shared hosting setups, PHP applications (WordPress, Drupal, Laravel), and situations where .htaccess per-directory config is needed.
sudo apt install apache2 sudo systemctl enable apache2 sudo systemctl start apache2
Best for: High-traffic sites, reverse proxy setups (proxying to Node.js, Python, or Go apps), static file serving, and load balancing.
sudo apt install nginx sudo systemctl enable nginx sudo systemctl start nginx
Apache2 – Key Commands
sudo a2ensite your-site.conf sudo a2dissite 000-default.conf sudo systemctl reload apache2
sudo a2enmod rewrite ssl sudo systemctl restart apache2
sudo apache2ctl configtest
Nginx – Key Commands
sudo ln -s /etc/nginx/sites-available/your-site /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl reload nginx
sudo nginx -t && sudo systemctl reload nginx
Databases – MySQL and PostgreSQL
Ubuntu Server 26.04 ships both MySQL and PostgreSQL in the main package archive. Both are production-ready. MySQL is more common in web stacks (WordPress, PHP). PostgreSQL is preferred for complex relational data and is stricter about SQL standards.
sudo apt install mysql-server sudo mysql_secure_installation sudo mysql
mysql_secure_installation sets the root password, removes the test database, and disables anonymous login. Run it immediately after install.
sudo apt install postgresql sudo -u postgres psql
PostgreSQL creates a system user called postgres during install. Use sudo -u postgres psql to access the database shell as that user.
Common MySQL Tasks
CREATE DATABASE mydb; CREATE USER 'myuser'@'localhost' IDENTIFIED BY 'strongpassword'; GRANT ALL PRIVILEGES ON mydb.* TO 'myuser'@'localhost'; FLUSH PRIVILEGES;
sudo systemctl status mysql
Automatic Security Updates
Ubuntu Server 26.04 includes unattended-upgrades for applying security patches automatically. This is especially important for VPS servers and any machine exposed to the internet.
sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades
The reconfigure step walks you through enabling automatic updates interactively. Select yes when asked.
sudo unattended-upgrades --dry-run --debug
Shows what would be updated without actually installing anything. Good for verifying the config is correct.
cat /var/log/unattended-upgrades/unattended-upgrades.log
Review this log periodically to confirm updates are being applied and to catch any that required a manual restart.
Quick Reference – Essential Commands
| Task | Command |
|---|---|
| Update + upgrade everything | sudo apt update && sudo apt upgrade -y |
| Check firewall status | sudo ufw status verbose |
| Check failed login attempts | sudo grep “Failed password” /var/log/auth.log |
| Check running services | sudo systemctl list-units –type=service –state=running |
| Check disk usage | df -h |
| Check memory usage | free -h |
| View system logs (live) | sudo journalctl -f |
| Restart a service | sudo systemctl restart service-name |
| Enable service at boot | sudo systemctl enable service-name |
| View top processes | htop (or top if htop not installed) |
Frequently Asked Questions
What is Ubuntu Server 26.04 LTS used for?
Ubuntu Server 26.04 LTS is used to run web servers, database servers, file servers, VPS instances, home labs, cloud workloads, and other backend services. It has no graphical interface and is managed entirely through the command line. It receives free security updates until April 2031, with extended coverage to 2036 through Ubuntu Pro.
How do I update all packages on Ubuntu Server 26.04?
Run two commands in sequence: first sudo apt update to refresh the package index, then sudo apt upgrade to install all available updates. You can combine them: sudo apt update && sudo apt upgrade -y. Run this immediately after a fresh install and regularly thereafter.
How do I enable the firewall on Ubuntu Server 26.04?
Ubuntu Server uses UFW. Before enabling it, always allow SSH first so you do not lock yourself out: sudo ufw allow OpenSSH. Then enable: sudo ufw enable. Check the status with sudo ufw status. Add rules for other services as needed, for example sudo ufw allow 80 for HTTP.
How do I add a new user on Ubuntu Server 26.04?
Run sudo adduser username, replacing username with the name you want. The command will prompt you for a password and optional profile details. To give the user sudo privileges, run sudo usermod -aG sudo username. The user can then run commands with elevated permissions using sudo.
How do I harden SSH on Ubuntu Server 26.04?
The most effective steps are: disable root login (PermitRootLogin no in /etc/ssh/sshd_config), disable password authentication and use SSH keys instead (PasswordAuthentication no), and optionally restrict SSH to specific users using AllowGroups. Restart SSH after changes: sudo systemctl restart ssh. Always confirm your key login works in a second terminal before closing your current session.
What web servers does Ubuntu Server 26.04 support?
Ubuntu Server 26.04 fully supports both Apache2 and Nginx. Apache2 is the most widely used and easiest to configure for beginners, especially for PHP applications. Nginx is preferred for high-traffic sites and reverse proxy setups. Both are available directly from the Ubuntu package archive via sudo apt install apache2 or sudo apt install nginx.
How do I install MySQL on Ubuntu Server 26.04?
Run sudo apt install mysql-server to install MySQL. After installation, run sudo mysql_secure_installation to set a root password, remove anonymous users, and disable remote root login. Access the MySQL shell with sudo mysql. PostgreSQL is also available via sudo apt install postgresql if you prefer that instead.
Official Resources and Community
Go deeper with these official Canonical resources and community hubs for Ubuntu Server.
The full official server guide by Canonical. Networking, storage, virtualisation, containers, and more.
What changed in Resolute Raccoon – new features, known issues, and upgrade notes direct from Canonical.
Forums, Ask Ubuntu, IRC, and mailing lists. Official hub for help from the Ubuntu community.
Canonical’s official forum. Active threads on Ubuntu Server, cloud, and LTS releases.
Active community for Ubuntu questions, tips, and news. Good for real-world troubleshooting from other server operators.
The Ubuntu Documentation Project wiki. Deep-dive articles on server config, networking, and security.
More Ubuntu Server 26.04 guides: Ubuntu Desktop 26.04 Download · Ubuntu 26.04 New Features · Upgrade to Ubuntu 26.04