Ubuntu Server Setup With Basic Security

December 7, 2017

SSH Login

You should setup your server with SSH Keys and login via SSH.

ssh -i [FILENAME].pem root@[SERVER_IP_OR_DOMAIN_NAME]

Alternatively, you can follow this tutorial which store SSH Keys at default .ssh directory and connect to server via ssh root@[SERVER_IP_OR_DOMAIN_NAME].

If you are using DigitalOcean and didn’t setup SSH Keys, follow this tutorial.

Create password for root

If you root doesn’t have a password yet (e.g. login via SSH Key), create password for root.

passwd

Create new user

It is best practice to not use root user as login and perform tasks, thus we are encouraged to create a new user. Remember to enter password for this user.

adduser do-user

Since we need to do administrative tasks, we assign superuser/root priviledge to our new user account by adding it to sudo group which enable the use of sudo command.

usermod -aG sudo do-user

Setup SSH Keys for new user

Assuming SSH Keys is already setup for root user, execute the following command to enable login by SSH Keys for new user (by copying the SSH keys from root).

su do-user
mkdir ~/.ssh
chmod 0700 ~/.ssh
sudo cat /root/.ssh/authorized_keys >> ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/authorized_keys

Now you can test login to server using the new user.

ssh -i [FILENAME].pem do-user@[SERVER_IP_OR_DOMAIN_NAME]

Assuming you don’t have any SSH Keys setup on the server yet, create SSH keys to create on your local ubuntu machine (not server). Copy the content of .pub file into ~/.ssh/authorized_keys. Or you can follow this tutorial.

Disable password login

Since our new user (do-user) can login via ssh keys, we need to disable password login as good security practice (prevent hacker trying to bruteforce by trying to guess our password).

sudo nano /etc/ssh/sshd_config

This will disable login by password.

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

This will disable login by root user (since we will be using do-user from now on)

PermitRootLogin no

This will only allow do-user to login.

AllowUsers do-user

Make sure the following settings are correct.

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Save the file. For those not familar with nano, Ctrl-X to exit, then ENTER to save.

Reload ssh for the changes to take effect.

sudo systemctl reload sshd

From now on, only do-user can login to this server (and root can’t).

ssh -i [FILENAME].pem do-user@[SERVER_IP_OR_DOMAIN_NAME]

Setup firewall

UFW is a firewall configuration tool for iptables (a firewall).

sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

I guess it won’t hurt to enable ssh port.

sudo ufw allow ssh
This work is licensed under a
Creative Commons Attribution-NonCommercial 4.0 International License.