Accessing the server
Once set up, you will have the IP address, in the form 123.456.789.012 and the root password. This means you will be able to log on to the server using ssh (secure shell), i.e.
1
| |
You will get a message along the lines of
1 2 | |
to which you will reply
1
| |
and you will then get
1 2 | |
which is when you can enter your password. Hopefully then you’ll be logged on to the server.
1 2 | |
First things first
Root access is the super user for your server. You really don’t want to have people being able to log on to your server as root. What you really need is to have user accounts which people can use to log on, and if/when required, they can get super user privileges to do whatever they need to do.
What we are going to do is to stop root being able to secure shell straight in to the server, create a new user account to use for our admin (with upgradable privileges) and run ssh on a different port to deter basic attacks.
Change root’s password!
So you have a default root password - CHANGE IT to a new one! From a root prompt, use passwd to change the password
Adding a new user
1
| |
Will create a new user, called James - you can add in extra details as you go like full name etc.
Now we want to allow james a bit of privilege, not by default though, but by using the sudo command.
Aside - setting default editor to be vi
By default, for all users, you may want to use vi as your editor (ok, you may not, but I do!) so add the following to /etc/profile
1 2 | |
Giving the new user sudo privileges
You may need to install sudo if it isn’t already installed on your server. It’s a simple case of
1
| |
Then, the application visudo is your friend. You edit the config file using visudo and then sudo does the rest. When you open the file, you’ll see a section with:
1 2 3 4 | |
By adding my own entry, it allows me to upgrade my user to super user privileges for all actions. You can limit the commands which users can run if you like using this, but if you are going to be the super user, you probably want to leave it as all.
Sorting out access
Let’s stop people attempting to log on to the server as root via ssh and also to run ssh on a different port than the default. There is a lot of good advice here
Amend port
The default port is 22, change this to something else, which isn’t being used by anything else
1 2 | |
Stop root login
Now stop people logging in as root
1
| |
Some other bits
Give maximum number of log in attempts to be 3, only allow james to login.
1 2 | |
Restart sshd
As root (or sudo)
1
| |
Now try logging in remotely from a different shell (i.e. keep the one you’ve just restarted sshd on open in case you have any problems!)
1
| |
obviously set the p to be the port you set earlier.
Stop chancers getting in
It’s also a good idea to stop people attempting to log on to your server using common passwords, usernames etc. A good way to do this is to install the fail2ban which goes some way to banning people trying to brute force their way in to your server.
1
| |
Default settings are pretty good here.
Firewall configuration
UFW or Uncomplicated Firewall is a good first port of call for securing your shiny new server. You can install it as root with
1
| |
Now, unlike fail2ban, ufw is installed switched off. You need to configure a few things before getting it up and running and providing that extra security. By default ALL ports are shut, so make sure you’ve opened up the ones you need before switching the firewall on!
For example, if you’ve set up your ssh to run on port 60, then you need to run
1
| |
If you’re going to be running apache on port 80 (the usual)
1
| |
Here are a few notes
Don’t forget to run ufw enable when you are ready! ufw status tells you what is set up.