Accessing the server
Once set up, you will have the IP address, in the form 123.456.789.012 and the root password. This means you will be able to log on to the server using ssh (secure shell), i.e.
You will get a message along the lines of
to which you will reply
and you will then get
which is when you can enter your password. Hopefully then you’ll be logged on to the server.
First things first
Root access is the super user for your server. You really don’t want to have people being able to log on to your server as root. What you really need is to have user accounts which people can use to log on, and if/when required, they can get super user privileges to do whatever they need to do.
What we are going to do is to stop root being able to secure shell straight in to the server, create a new user account to use for our admin (with upgradable privileges) and run ssh on a different port to deter basic attacks.
Change root’s password!
So you have a default root password - CHANGE IT to a new one! From a root prompt, use
passwd to change the password
Adding a new user
Will create a new user, called James - you can add in extra details as you go like full name etc.
Now we want to allow james a bit of privilege, not by default though, but by using the sudo command.
Aside - setting default editor to be vi
By default, for all users, you may want to use vi as your editor (ok, you may not, but I do!) so add the following to
Giving the new user sudo privileges
You may need to install sudo if it isn’t already installed on your server. It’s a simple case of
Then, the application
visudo is your friend. You edit the config file using visudo and then sudo does the rest. When you open the file, you’ll see a section with:
1 2 3 4
By adding my own entry, it allows me to upgrade my user to super user privileges for all actions. You can limit the commands which users can run if you like using this, but if you are going to be the super user, you probably want to leave it as all.
Sorting out access
The default port is 22, change this to something else, which isn’t being used by anything else
Stop root login
Now stop people logging in as root
Some other bits
Give maximum number of log in attempts to be 3, only allow james to login.
As root (or sudo)
Now try logging in remotely from a different shell (i.e. keep the one you’ve just restarted sshd on open in case you have any problems!)
obviously set the p to be the port you set earlier.
Stop chancers getting in
It’s also a good idea to stop people attempting to log on to your server using common passwords, usernames etc. A good way to do this is to install the fail2ban which goes some way to banning people trying to brute force their way in to your server.
Default settings are pretty good here.
UFW or Uncomplicated Firewall is a good first port of call for securing your shiny new server. You can install it as root with
Now, unlike fail2ban, ufw is installed switched off. You need to configure a few things before getting it up and running and providing that extra security. By default ALL ports are shut, so make sure you’ve opened up the ones you need before switching the firewall on!
For example, if you’ve set up your ssh to run on port 60, then you need to run
If you’re going to be running apache on port 80 (the usual)
Here are a few notes
Don’t forget to run
ufw enable when you are ready!
ufw status tells you what is set up.