Whenever you have a remote server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions. You should do (at-least) listed things here to get ready for any application you install.
Update your server
This should be done on daily basis. Updating computer is very important as it push security updates, newer version of software on your server.
apt operation must be run as root or sudo.
$ sudo apt update && sudo apt upgrade -y && sudo apt dist-upgrade -y
This may takes some time. You can have a cup of coffee and let it run the update.
Creating new user
Create your new user by issuing the command below:
$ adduser userN4me --force-badname
You can add your 'username' in form of 'l337sp34k' with the option
Give your new user
$ usermod -a -G sudo userN4me
-a : Will append the user with a new group
-G group : Add the user to group
Change to new user:
$ su userN4me
Public key authentication
ssh directory in new user account.
$ mkdir ~/.ssh $ chmod 700 ~/.ssh
ssh-keygen in local computer if you don't have ssh keys.
Assume your local PC username is localuser
ssh-keygen output Generating public/private rsa key pair. Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
Press enter to accept the default path (or enter your new path).
Next you'll be prompted to enter a key-passphrase leave it empty. Or if you put a passphrase, you'll be prompted everytime you want to connect ssh.
Note: If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.
This will generate
~/.ssh directory. You will need to copy
id_rsa.pub to remote server in
Go copy the key somewhere:
local$ cat ~/.ssh/id_rsa.pub
In your remote server, make sure you're in the new user account. Paste the key inside
$ nano ~/.ssh/authorized_keys
Restart ssh service
$ sudo service sshd restart
This is your first time entering 'sudo' command for the new user. It will prompt you to use 'sudo' wisely.
Disable SSH password authentication
This will disable password authentication when ssh-ing to your remote server. This will use public key that we generate above. This method is more secure.
$ sudo nano /etc/sshd/sshd_config
Uncomment below and set to 'no':
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no
Find somewhere below:
PermitRootLogin no RSAAuthentication yes PubkeyAuthentication yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no
Permit root login to no to make sure root user cannot login through ssh. Enable public key authentication to yes so that you can login to ssh passwordless and using the key that we set up earlier.
Set up firewall
I suggest to use 'ufw' as firewall. It is easy compare to iptables. However, you can still use the iptables command without conflict with ufw. But again, I suggest you to use ufw. What ever iptables commands you ufw can do. Ufw is a simpler form of iptables.
Install ufw firewall.
$ sudo apt install ufw
Enable ufw firewall on system startup.
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Allow ssh in ufw. View available applications:
$ sudo ufw app list Available applications: OpenSSH $ sudo ufw allow OpenSSH
$ sudo ufw reload
Set date and timezone
Select your timezone. This will automatically update your server date and time based on choosen timezone.
# view your current date $ date Wed April 2 19:20:19 +08 2018 $ sudo dpkg-reconfigure tzdata $ date Thu May 3 06:00:19 +08 2018