After you create a new server, there are some configuration tweaks that you should make to harden the security of your server.
Create a new user
As the root user, you have privileges to do anything that you want with the server – no restrictions. Because of this, it is better to avoid using the root user account for every task on your server. Let’s start by making a new user. Replace username with the desired user name:
adduser username
Choose a new secure password and respond to the questions accordingly (or just hit ENTER to use the default value).
Giving user root privileges
New user accounts don’t have privileges outside of their home folder and cannot run commands that will alter the server (like install, update, or upgrade). To avoid the use of the root account, we will give the user root privileges. There are two ways of doing this:
Adding user to sudo group
The easy way is to add the user to the sudo group. Replace username with the desired user name:
adduser username sudo
This will add the user to the group sudo. This group has the privilege of running the commands with sudo access.
Modifying sudoers file
The other way is to put your user in the sudoers file. If your server has multiple users with root privileges, then this approach is somewhat better because if someone messes with the sudo group, you will be still able to run commands with root privileges to work on the server.
First, run this command:
visudo
This will open the sudoers file. This file contains the definitions of groups and users who can run commands with root privileges.
root ALL=(ALL:ALL) ALL
After this line, write your user name and grant it full root privileges. Replace username accordingly:
username ALL=(ALL:ALL) ALL
Save and close the file (Ctrl + O and Ctrl + X in nano).
Testing your new user
To login to your new user account without logout and login, simply call:
su username
Test sudo permissions using this command:
sudo apt-get update
The shell will ask for your password. If sudo was configured properly, then your repositories should be updated. Otherwise, review the previous steps.
Now, logout from the new user:
exit
Sudo setup is complete.
Securing SSH
The next part of this guide involves securing the ssh login to the server. First, change the root password:
passwd root
Choose something hard to guess, but that you can remember.
SSH key
SSH keys are a safer way to login. If you are not interested in SSH keys, skip to the next part of the tutorial.
Use the following AKLWEB Host Doc to make an SSH key: How Do I Generate SSH Keys?
After you get your public key, login with your new user again.
su username
Now make the .ssh directory and the authorized_keys file in the home directory of that user account.
cd ~
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys
Add the public key that you generated from the other tutorial to the authorized_keys file.
nano .ssh/authorized_keys
Save the file, then change the permissions of that file.
chmod 600 .ssh/authorized_keys
Return to the root user.
exit
SSH configuration
Now we will make the SSH daemon more secure. Let’s start with the config file:
nano /etc/ssh/sshd_config
Change SSH inbound port
This step will change the port used to access the server, it is entirely optional but recommended.
Find the line with the Port config, should look like this:
Port 22
Now change this port to any port that you want. It must be greater than 1024.
Port 4422
Disable root ssh login
This step will disable root login through SSH, it is entirely optional but highly recommended.
Find this line:
PermitRootLogin yes
… and change it to:
PermitRootLogin no
This will make the server more secure against bots that try brute force and/or common passwords with user root and port 22.
Disable X11 forward
This step will disable X11 forwarding, don’t do this if you use some remote desktop program to access to your server.
Find the X11 line:
X11Forwarding yes
… and it change to:
X11Forwarding no
Restart SSH daemon
Now that we made the changes to secure the SSH Login, restart the SSH service:
service ssh restart
This will restart and reload the server settings.
Testing changes
Without disconnecting your current ssh session, open a new terminal or PuTTY window and test another SSH login.
ssh -p 4422 username@SERVER_IP_OR_DOMAIN
If everything checks out, we have successfully hardened the security of your server. Enjoy!