Commands, tricks & cautions that will be used here have been tested only on a Ubuntu 12.04 VPS. Though, most of the commands should work in other Unix like system without any change.
In this lesson we will see how should a newly launched/opened server be configured for basic security & proper accessibility. Usually you get an IP address & a root password for logging in as root, as soon as you open a new cloud/vps server from rackspace/digitalocean or some others like these.
1. Connecting to the remote system through/using SSH:
SSH(Secure Shell) is a protocol used to securely loggin in to a remote system & also ssh is the tool used in Linux that connect to the remote server over the SSH protocol.
The terminal will show a message and will prompt
.... Are you sure you want to continue connecting (yes/no)?
Type yes & press enter & then in next prompt enter your root password that was provided by that server provider while opening a VPS. So, now we are logged in to the remote system as root user.
2. Change your root user’s password:
You used the root password that was generated & provided by the server provider & the first thing is to change this password. Enter the following command on the terminal.
It will first ask the current root password & after entering the current password it will ask your desired new password twice for confirmation.
3. Create a new user:
Currently we are logged in as root & changed the password of it. It is not encouraged to use root on a VPS frequently. So, we will now create a new user named “nuhil” and will give all root like permissions/privileges to the new user. Type the following command on terminal & press enter.
This will first ask for password for this new user & then it will ask for several informations about this new user. After entering the password (twice) you can skip all other next prompt/questions just by pressing Enter key.
4. Give root privileges to the new user nuhil:
Normally & so far root has all of the administrative capabilities. Note that if the new user wants to perform any root task then the user must use the “sudo” keyword before the command to be executed. Let’s edit the sudo configuration. Type the following & press enter,
Find the commented line called “User privilege specification”. Under that line there should be,
root ALL=(ALL:ALL) ALL
Under this line add the following line,
nuhil ALL=(ALL:ALL) ALL
Press ctrl+x & then y to save the changed file.
5. Little bit security:
We can configure the SSH by editing the following file like,
Find out the following line
Change this to something like,
You can change this to any number between 1025 and 65536. This change will make it more difficult for unauthorized people to log in. (Important: Make sure this port is enabled/added/authorized to be opened in your server provider’s end if they force you to use a security group along with some rules for example while working with Amazon EC2 instance.) Now, change the following line,
Add the following two lines at the bottom of the file,
UseDNS no AllowUsers nuhil
AllowUsers will limit login to only the users on that line. Save the file & exit. Lets reload the SSH server,
Now try login to the same server by opening a new terminal window (so that if the new config causes any un-expected issue then we can still change config from within the previously opened terminal’s ssh session) & by typing the following command,
ssh -p 3456 email@example.com
Give the password of user “nuhil” when asked & you are logged in! Now to logout; type,
Optional. Turning off password authentication & logging in just using key:
Key-based authentication works by creating a pair of keys; a private key and a public key. The private key is located on the client machine and is secured and kept secret. The public key can be given to anyone or placed on any server you wish to access.
Check whether you have already these keys. Go to “.ssh” folder & check out by typing,
cd ~/.ssh ls -l
If there are id_rsa & id_rsa.pub files then go to “Copy” step otherwise, to create these keys type the following command in your terminal (In you local machine’s environment),
ssh-keygen -t rsa
Now Copy the public key to the remote server by this command,
scp -P 3456 ~/.ssh/id_rsa.pub firstname.lastname@example.org:/home/nuhil/
It will ask for the server authentication password & then it will copy your public key to nuhil’s home.
Now log in to your Cloud Server, create a directory called “.ssh” in the nuhil folder and move the pub key into it.
ssh -p 3456 email@example.com mkdir /home/nuhil/.ssh mv /home/nuhil/id_rsa.pub /home/nuhil/.ssh/authorized_keys
Change the permissions properly,
chown -R nuhil:nuhil /home/nuhil/.ssh chmod 700 /home/nuhil/.ssh chmod 600 /home/nuhil/.ssh/authorized_keys
On past we did set “Permit RootLogin” to “no” & now we will also disable “Password Authentication”. Edit the config file by typing,
sudo nano /etc/ssh/sshd_config
Edit/Uncomment/Update the PasswordAuthentication value like following,
Again reload the ssh server by,
sudo reload ssh
Finally Lets logout,
Now again type the following in your terminal,
ssh -p 3456 firstname.lastname@example.org
& it will allow you to log in without asking the password of user nuhil.