Sunday, October 5, 2014

Initial Server Setup for Linux Server

This was made on Ubuntu 14.04 LTS.

It's my personal list. I'll probably update this once in a while when I see a good practice for an initial server setup.

Your goals basically are:
1) to add a user and use it instead of the root
2) change the ssh port to add protection on random hackers attacking at the default ssh port

Ssh on the server:
$ ssh root@<server ip address>

Change your password.
$ passwd

Add a user.
$ adduser <sample user: bujo>

Add root priveleges to bujo via "sudo" command.
$ visudo
This opens up a file using the 'nano' editor.
Find the lines with the following notes

#User privilege specification
root ALL=(ALL:ALL) ALL

Add in 'bujo'. Copy the line with the 'root' and 'ALL...' value and paste it in the next line and just replace 'root' with 'bujo' on the copied line.

bujo ALL=(ALL:ALL) ALL

Save.

Next, configure your ssh.
$ vim /etc/ssh/sshd_config

Change ssh port.
Look at the line with:
Port 22

Just change 22 with any number between 1025 to 65536.

Next you can disable root login. Just change the value of the
PermitRootLogin yes
to 'no'.

But I don't recommend that. If you have a difficult password for the root user and it is securely stored, like using a key manager, for example keepassx, you can leave your server able to login root. That admin power may one day be needed and you might need it fast.

Now it's time to permit the user/s you defined. Add in to your ssh_config
AllowUsers bujo root

AllowUsers is a directive. 'bujo' and 'root' are the allowed users to login in your system.
Save.

Restart your ssh.
$ service ssh restart

You're done with the configs. Next TEST the config. :)
Remember, DO NOT EXIT FROM YOUR CURRENT TERMINAL SESSION.
Sometimes, you do mistakes in your config changes and you make your server out of reach to anyone even to yourself. For example, you have put "PermitRootLogin no" and added "AllowUsers" with no value after it, or misspelled your new user name. With this mistakes, you can only correct them with the current session you have in your server. So you don't log out of that current session until you finished testing your changes from another terminal.

Open a new terminal. Try logging in using your old 'root'. Remember, your ssh is now assigned to a new port in your server. So logging in will have to consider that.
$ ssh -p <new port assignment> root@<server ip>
Then exit and try to login again using 'bujo'. When there seems to be a problem, you can check and change the config, and restart sshd_config by the original terminal session you still have.

And when you are done logging in, you have now a solid setup to install your applications in your server. You can now leave the 'root' user behind and use it only when you need speed (not needing to do 'sudo') on very important server setups that is safe and you are comfortable doing.

No comments:

Post a Comment