SSH Login
You should setup your server with SSH Keys and login via SSH.
ssh -i [FILENAME].pem root@[SERVER_IP_OR_DOMAIN_NAME]
Alternatively, you can follow this tutorial which store SSH Keys at default .ssh
directory and connect to server via ssh root@[SERVER_IP_OR_DOMAIN_NAME]
.
If you are using DigitalOcean and didn't setup SSH Keys, follow this tutorial.
Create password for root
If you root doesn't have a password yet (e.g. login via SSH Key), create password for root.
passwd
Create new user
It is best practice to not use root user as login and perform tasks, thus we are encouraged to create a new user. Remember to enter password for this user.
adduser do-user
Since we need to do administrative tasks, we assign superuser/root priviledge to our new user account by adding it to sudo
group which enable the use of sudo
command.
usermod -aG sudo do-user
Setup SSH Keys for new user
Assuming SSH Keys is already setup for root user, execute the following command to enable login by SSH Keys for new user (by copying the SSH keys from root).
su do-usermkdir ~/.sshchmod 0700 ~/.sshsudo cat /root/.ssh/authorized_keys >> ~/.ssh/authorized_keyschmod 0600 ~/.ssh/authorized_keys
Now you can test login to server using the new user.
ssh -i [FILENAME].pem do-user@[SERVER_IP_OR_DOMAIN_NAME]
Assuming you don't have any SSH Keys setup on the server yet, create SSH keys to create on your local ubuntu machine (not server). Copy the content of .pub
file into ~/.ssh/authorized_keys
. Or you can follow this tutorial.
Disable password login
Since our new user (do-user
) can login via ssh keys, we need to disable password login as good security practice (prevent hacker trying to bruteforce by trying to guess our password).
sudo nano /etc/ssh/sshd_config
This will disable login by password.
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
This will disable login by root user (since we will be using do-user
from now on)
PermitRootLogin no
This will only allow do-user
to login.
AllowUsers do-user
Make sure the following settings are correct.
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Save the file. For those not familar with nano
, Ctrl-X to exit, then ENTER to save.
Reload ssh for the changes to take effect.
sudo systemctl reload sshd
From now on, only do-user
can login to this server (and root
can't).
ssh -i [FILENAME].pem do-user@[SERVER_IP_OR_DOMAIN_NAME]
Setup firewall
UFW is a firewall configuration tool for iptables (a firewall).
sudo ufw allow OpenSSHsudo ufw enablesudo ufw status
I guess it won't hurt to enable ssh port.
sudo ufw allow ssh