Secure Linode Ubuntu Server

December 18, 2018

After you setup your server on Linode, the default SSH Access to Linode is using password authentication using root account.

ssh root@SERVER_IP

NOTE: Digital Ocean has an option to SSH Key-pair

Create User

Create a new user (will use this user in the future instead of root).

adduser ln-user

Add user to sudo group for admin privileges.

adduser ln-user sudo

Setup SSH Key-pair for login authentication

Most documentation will recommend using ssh-keygen -b 4096 to create the key-pair at ls ~/.ssh/id_rsa*.

I have multiple servers, and I prefer to use different key-pair for each server. I usually create my key-pair in a specific local directory and backup these files.

Run the following command on your local machine (not server).

NOTE: Technically if you local machine is Windows, you can run it on the Ubuntu server and download the files to your local machine.

ssh-keygen -b 4096 -f KEY_FILE_NAME

Install public key with ssh-copy-id

Install the public key to server.

NOTE: Run this on your local machine.

ssh-copy-id -i KEY_FILE_NAME ln-user@SERVER_IP

Install public key manually

If you don’t have access to ssh-copy-id, you can manually install the key. Copy the content of the public key

cat KEY_FILE_NAME.pub

NOTE: content should be something like ssh-rsa AAAAB3....

SSH to the server and create ~/.ssh directory.

ssh ln-user@SERVER_IP

mkdir ~/.ssh
chmod 0700 ~/.ssh

Paste the content of public key to ~/.ssh/authorized_keys.

nano ~/.ssh/authorized_keys

Restrict the permission.

chmod 0600 ~/.ssh/authorized_keys

Edit SSH Configuration

Edit /etc/ssh/sshd_config (on the server).

sudo nano /etc/ssh/sshd_config

Disable root login over SSH

PermitRootLogin no

Disable SSH password authentication

PasswordAuthentication no

Allow ln-user only.

AllowUsers ln-user

Reload SSH service.

sudo systemctl reload sshd

NOTE: Careful about misconfiguration and permanently unable to SSH into the server.

Test login using ssh key-pair

ssh -i KEY_FILE_NAME ln-user@SERVER_IP

Setup Firewall

Enable firewall

sudo ufw enable

List of application which have a ufw profile (e.g. OpenSSH, Nginx Full, etc.), usually installed application which require listening on certain port.

sudo ufw app list

Enable SSH access.

sudo ufw allow OpenSSH

Check status

sudo ufw status

Update Ubuntu

sudo apt-get update && sudo apt-get upgrade

NOTE: Might need to run sudo apt-get dist-upgrade as well, refer to install ubuntu update.

NOTE: You could look into automatic updates as well.

References:

This work is licensed under a
Creative Commons Attribution-NonCommercial 4.0 International License.