Whenever you have a remote server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions. You should do (at-least) listed things here to get ready for any application you install.
Update your server
This should be done on daily basis. Updating computer is very important as it push security updates, newer version of software on your server. apt
operation must be run as root or sudo.
apt update && apt upgrade -y && apt dist-upgrade -y
This may takes some time. You can have a cup of coffee and let it run the update.
Creating new user
Create your new user by issuing the command below:
adduser userN4me --force-badname
You can add your 'username' in form of 'l337sp34k' with the option --force-badname
Sudo Privileges
Give your new user sudo
privileges!
usermod -a -G sudo userN4me
-a
: Will append the user with a new group sudo
-G group
: Add the user to group sudo
Change to new user:
su userN4me
Public key authentication
Make ssh
directory in new user account.
mkdir ~/.ssh
chmod 700 ~/.ssh
Generate ssh-keygen
in local computer if you don't have ssh keys.
ssh-keygen
Assume your local PC username is localuser
ssh-keygen output
Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_rsa):
Press enter to accept the default path (or enter your new path).
Next you'll be prompted to enter a key-passphrase leave it empty. Or if you put a passphrase, you'll be prompted everytime you want to connect ssh.
Note: If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.
This will generate id_rsa
and id_rsa.pub
in ~/.ssh
directory. You will need to copy id_rsa.pub
to remote server in ~/.ssh/authorized_keys
Go copy the key somewhere:
cat ~/.ssh/id_rsa.pub
In your remote server, make sure you're in the new user account. Paste the key inside ~/.ssh/authorized_keys
.
nano ~/.ssh/authorized_keys
Restart ssh service
sudo service sshd restart
This is your first time entering 'sudo' command for the new user. It will prompt you to use 'sudo' wisely.
Disable SSH password authentication
This will disable password authentication when ssh-ing to your remote server. This will use public key that we generate above. This method is more secure.
sudo nano /etc/sshd/sshd_config
Uncomment below and set to 'no':
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
Find somewhere below:
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
Permit root login to no to make sure root user cannot login through ssh. Enable public key authentication to yes so that you can login to ssh passwordless and using the key that we set up earlier.
Set up firewall
I suggest to use 'ufw' as firewall. It is easy compare to iptables. However, you can still use the iptables command without conflict with ufw. But again, I suggest you to use ufw. What ever iptables commands you ufw can do. Ufw is a simpler form of iptables.
Install ufw firewall.
sudo apt install ufw
Enable ufw firewall on system startup.
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Allow ssh in ufw. View available applications:
sudo ufw app list
Available applications:
OpenSSH
sudo ufw allow OpenSSH
Reload firewall.
sudo ufw reload
Set date and timezone
Select your timezone. This will automatically update your server date and time based on choosen timezone.
# view your current date
date
Wed April 2 19:20:19 +08 2018
sudo dpkg-reconfigure tzdata
date
Thu May 3 06:00:19 +08 2018