After my server on DigitalOcean was attacked few times, I thought I should write an article about it. Do hope it is useful to you.
Step One — Root Login
$ ssh root@your_server_ip
Step Two — Create a New User
# adduser van
Step Three — Root Privileges
Set root privileges to new user.
# usermod -aG sudo van
Step Four — Add Public Key Authentication (Recommended)
Generate a Key Pair
You need to generate a key pair on your local machine before putting it on the server.
$ ssh-keygen
ssh-keygen output
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
You will be asked a few questions. It is recommended to leave the password field blank.
Copy the Public Key manually
On your local machine, type the command below will show your public key inside terminal.
$ cat ~/.ssh/id_rsa.pub
Now copy it to the clipboard.
id_rsa.pub contents
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf localuser@machine.local
Next, connect to your server as root user. Then switch to your sudo user.
# su - van
Create .ssh folder.
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
Create authorized_keys file.
$ nano ~/.ssh/authorized_keys
When the authorized_keys file opened. Let’s paste your public key here. Then press Ctrl-o to save the file and Ctrl-x to close it.
It’s better to restrict access privileges of this file.
$ chmod 600 ~/.ssh/authorized_keys
Exit sudo user.
$ exit
Step Five — Disable Password Authentication (Recommended)
Let’s open sshd_config file.
$ sudo nano /etc/ssh/sshd_config
To disable password authentication, you need to set no to PasswordAuthentication directive.
PasswordAuthentication no
Then to make sure, you should check these default settings are correct.
PubkeyAuthentication yes AuthorizedKeyFile .ssh/authorized_keys ChallengeResponseAuthentication no
Apply update sshd_config.
$ sudo systemctl reload sshd
Step Six — Test Log In
It’s time to check if everything is working nicely. Let’s connect to your server with the new sudo user.
$ ssh van@your_server_ip
$ sudo command_to_run
Step Seven — Set Up a Basic Firewall
$ sudo ufw enable
$ sudo ufw allow OpenSSH
$ sudo ufw status
Output Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6)
Step Eight — Disable Root Login (Recommended)
To prevent server attack, it’s recommended to disable root login.
$ sudo nano /etc/ssh/sshd_config
To disable root login, you just need to set no to PermitRootLogin directive.
PermitRootLogin no
What Next
These steps are the foundation of server setup. Now you can install any softwares on your new server.
To keep your server more secure, you could have a look at fail2ban solution or changing your ssh port. At the moment, I have just changed my ssh port. It works for now.
Happy coding!
References
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04