Image courtesy of Lifehacker
In the previous post of this series, we learned how to connect using PuTTY and how to update our server. On this post we will take some steps to secure our server.
Before we begin, AKA Disclaimer: This is by no means the best way to secure your server. It's just a precaution for the "lazy hackers". Server security requires a lot of investment, fine tuning and time. Please do not come to this post and tell me "I followed your tutorial and I got hacked". If you have sensitive information that need protection, you should consult a security professional.
User types and adding a standard user
We have 2 types of users: Administrators and Standard users. Administrators have limitless access to everything in the server. Standard users are restricted in what they can do. For example, a standard user cannot use apt-get, the command we used on the first part of the series to update our server.
There are many ways to use restricted commands. The most common is using the sudo command. Another way is to use the su command. Before we get started with adding our standard user, let me explain the difference
sudo stands for Super User DO. It asks for your user password, and requires for you to be added to the sudo list, and you only gain administratos privileges for that single command. If you need to run 3-4 commands with admin privileges, you have to start each command with sudo.
su stands for Substitute User. Basically, it's like logging into another user's account. By typing su root, you login to the root account (as long as it's not disabled), and every command you run until you type exit, is ran as the user "root". Downside: you need the root user's password. If it's a shared server, good luck getting that! :P
I prefer using sudo, but the final choice is yours. Finally, you can invoke sudo su to gain permanent administrator privileges (again, until you type exit). Basically this is the same as typing su root, but you need your own user's password, not root user's password.
Enough with the technical jargon, let's create our user. Substitute username with your own username. You should be logged in as a root user.
adduser username
The server starts adduser and this is the reply:
root@servername:~# adduser username
Adding user `username' ...
Adding new group `username' (1001) ...
Adding new user `username' (1001) with group `username' ...
Creating home directory `/home/username' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for username
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
root@servername:~#
The first thing you get asked, is for a password. Type it in (remember, in most linux terminal software that care about you, when you type passwords you see no feedback) and then retype it.
You'll get asked for your name, room number, work & home phone and other details. You can skip them. Finally you get a chance to review what you typed in. Confirm by typing "Y" and pressing enter.
Next order of business...
Add username to SUDO group.
If sudo is not available, install it first:
apt-get install sudo
It will take a couple of seconds to install sudo and then you are ready to run the command that will add our user to the SUDO usergroup.
apt-get install packagename will install the package with name "packagename",you will be using it a lot when setting up your servers. In the future, I will be adding a post about more of these commands, so feel free to not memorize it.
sudo usermod -aG sudo username
Remember to substitute username with your username.
Now exit your SSH session, and start it again (preferably without looking at the first part of the series :D ) only this time you will log in with the newly created user!
Changing the SSH port and disabling root logins
Changing the SSH port is completely optional, but it adds an extra layer of security (some argue it's security through obscurity, so not really security. I won't argue about this, we are here to learn a couple of things)
However, disabling root logins, is 100% recommended and in fact required as a first step to a more secure server.
Now, we need a program named nano. It is the "notepad" equivalent in linux servers. Other alternatives are vim and pico (although I think the pico project is dead).
We will edit the sshd_config file, which is the configuration file for the SSH server.
Type sudo nano /etc/ssh/sshd_config and press enter. You will be asked for your password, type it in. nano should now be open.
If you read "nano: not found" or something like that, run sudo apt-get install nano, wait for it to finish and type again sudo nano /etc/ssh/sshd_config
You will be looking at something like this:
Locate the line that reads Port 22, and change 22 to a port of your liking, preferably something extra large (such as 30912.) The maximum port number you can use is 65535.
Then, locate the line #PermitRootLogin yes and change it to PermitRootLogin no (notice, I removed the # as well.)
Close nano by saving the changes (Control+X, then press Y, and enter,) and then restart the SSH service by typing "sudo service ssh restart".
Then, start another SSH session WITHOUT closing the current one, to make sure that everything went smoothly. This time, next to the hostname field in PuTTY, change the port from 22 to the port number you used on sshd_config.
If everything went fine, you will get a prompt asking you to login. Login, and then go ahead and exit the old SSH session.
If not, redo the change port process, and choose another number, as probably some other service uses that port.
Click here for the next part of the series, Basic Server Security Part 2
Next time we will go ahead and configure a firewall, a failed-login monitor, and we will setup key authentication, to login without passwords.
Thank you for reading. If you liked my small tutorial, or have any questions, feel free to leave a comment.
If you need a place to host your servers consider Vultr, Digital Ocean and BuyVM.
These are affiliate links. If you sign up through them, you support me and I will have more free time to write more content like this.
Also If you signup for Digital Ocean through my affiliate link, you will get $10 to try them out. Note: to battle abusers of this offer, you'll have to make a $5 deposit via Paypal or add your credit/debit card, so they can confirm that you are a new user. I did a deposit via Paypal to test them out, and then I added my credit card so I won't have to deposit money manually every now and then.
good
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
You do a good post, congratulations.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Post updated to clarify a little bit more what to change, in order to change the SSH port number, added maximum port number.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by dimitrisp from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, and someguy123. The goal is to help Steemit grow by supporting Minnows and creating a social network. Please find us in the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
If you like what we're doing please upvote this comment so we can continue to build the community account that's supporting all members.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit