When I was writing the guide about setting up Classicpress/Wordpress on Ubuntu, I discovered there should be a proper initial configuration for your new Ubuntu Image, which not only help in tightening your server security but also help in increasing the reliability of the server.
Prerequisite
You need to be able to access the terminal via SSH. If you are coming from the guide I linked to above, you don't have to do anything, just follow on, and if otherwise, please go to the section in Creating a Droplet on DigitalOcean/Creating an SSH in this guide:
How To Setup Classicpress on Ubuntu 16.04 Using VestaCP at Digital Ocean
Let's get started...
Step 1: Login as Root
To login as root, You will need to know your server's public IP address and your password.
If you are using an SSH key for authentication, you will need the private key, and the passkey for the SSH Key, which is covered in Connecting Your Droplet With Putty on Windows, If you are on Mac or GNU/Linux, follow this guide instead: How to Connect to your Droplet with OpenSSH
Putty prompting for passkey of user root ↑
Successfully logged in as root ↑
The root user is the default administrative user in a GNU/Linux environment system that has the most superior privileges. The best practice is to disallow root to log in over SSH or password and create a new user that would act in place of the root, you will still be able to perform the root privileges with some steps in place.
The main reason why you shouldn't use root is that there are lots of bots that try to take advantage of the root, they try guessing if you are using the root user and then they enter some guessed password. I see this in my logs every time.
Let's create a new user...
Tips: Don't use a generic username like "admin" "administration", "mum", "dad", "love", etc, choose something unique
Step 2: Create a new user With Sudo Privileges
First, log in as root, which we've done above.
Add a new user, I will be using "nothingcomeseasy20"
adduser nothingcomeseasy20
You will be prompted to create a new Unix Password for the new user, use Password generator to generate a complex password:
You will be asked to retype the passkey for verification
Add your details, the only thing I fill is my name, I keep entering enter for the other fields, when you are done, enter Y to verify your details:
fill your name
Once your new user is created, let's add sudo privileges, this way we can perform administrative tasks with the sudo command, this is also known as a superuser or root privileges for the new user account.
Give it a superuser privileges by running the following command:
usermod -aG sudo nothingcomeseasy20
Remember to replace nothingcomeseasy20 user with your own user.
You should only log into your ubuntu server using this new user.
Before we do, let's create a new ssh key for the new user
Step 3: Create a New SSh Key for The New User (Recommended)
It is highly recommended you set up a public ssh key for your new user, this would make your server secure.
I am on windows, so, I will be using Putty.
Search for PuTTYgen or locate it inside this folder: C:\Program Files\PuTTYand open puttygen.exe
Go to this folder on a 32-bit system: C:\Program Files (x86)\PuTTY
Click Generate and move your mouse randomly over the blank area. This is called the entropy of mouse motion, bring in thousands of users, and no one would ever predict your mouse movement, this means no one can reproduce your keys. If you are curious you can read this StackExchange answer .
Your key looks like this, once it is generated:
The good thing is that you can also password protect your ssh key, by filling the Key passphrase field, this way, when someone gains access to your computer, they will need to provide a passphrase to access it and on top of that, you must provide this passphrase every time you use this key.
Note: Don't use a simple password or password you've used elsewhere, use something stronger, you can generate one here: Password generator
Once generated, store the password inside a private book at home, No, don't keep it on your PC.
Save your Private Keys in a folder in your local computer:
We are getting there!
Copy the Public Key and follow the next step:
There are different way to copy the public key to your server, let's go with a simpler method:
login as root, and switch to the newly created user. In my case, it is nothingcomeseasy20
su - nothingcomeseasy20
You should see something like this if you successfully switched to the new user:
You can see the new user as replaced root ↑
Now, create a new directory called .ssh and restrict its permissions using the following command:
mkdir ~/.ssh chmod 700 ~/.ssh
mkdir - this means, make a new directory called .ssh
~/ - This means the home directory
chmod 700 - the new user nothingcomeseasy20 can read, write and execute
The next step is to copy the public key we generated from putty into file authorized_key in the .ssh directory.
Go into .ssh directory using:
cd .ssh
create .authorized_keys & open authorized_keys file: (Note: You don't have to create a new file, using the below command would automatically do it for you)
nano ~/.ssh/authorized_keys
Paste the public key you generated from putty in the file: (Make sure you copy everything from Top to down in the Public Key box below)
Use Ctrl + X to exit, then press Y to save and lastly press the enter key to confirm.
Now, restrict the authorize_keys permission with the following command:
chmod 600 authorized_keys
You might get directory not found if you copy and paste the command above, type the above command by hand instead.
Return to the root user by typing the exit command:
Now, let's create a new session with the new key in Putty, close the current terminal and open Putty:
-
- Open PuTTy: Locate it inside this folder: C:\Program Files\PuTTY and open putty.exe, if you are on a 32-bit system, goto this folder C:\Program Files (x86)\PuTTY and open putty.exe
Open Putty.exe ↑
Putty window ↑
- Copy The Droplets IP: Copy your droplet IP address in the control panel, and paste it in the putty IP field:
Copy droplet IP in Digitalocean control panel ↑
Paste it in the field Hostname ↑
- Add SSH Key: Add the private ssh key we generated in putty
Add ssh authentication ↑
select private key we generated from putty the other time ↑
- Add New User: Let's add the new user to the Auto-login username field
Type in your new username ↑
- Lastly: Save your session for recurrent login
- Open PuTTy: Locate it inside this folder: C:\Program Files\PuTTY and open putty.exe, if you are on a 32-bit system, goto this folder C:\Program Files (x86)\PuTTY and open putty.exe
Once you are done with the above steps, you can open up putty and select your new session to access your server.
Let's try to connect the new session:
Open putty and open the new session: Mine is nothingcomeseasy session:
The reason why you would likely see this error is that the .ssh directly is still owned by the root administrator,
login as root and switch the user to your new user using:
su - nothingcomeseasy20
let change the new owner to our new user: using the following command:
chown nothingcomeseasy20:nothingcomeseasy20 ~/.ssh/authorized_keys -R
or
sudo chown -R nothingcomeseasy20:nothingcomeseasy20 ~/.ssh
You might get directory not found if you copy and paste the command above, type the above command by hand instead.
Now, try logging in again with the new user session
Enter the new user passkey ↑
Step 4: Disable Password Authentication
Since we can now login our new user with an ssh key, there is no point using a password, let's disable it.
Login to your server with the new user and open the sshd_config
sudo nano /etc/ssh/sshd_config
You might be prompted to verify the user, enter your passkey and you should be presented with the below image:
SSHD_CONFIG ↑
Press Ctrl + W and paste in PasswordAuthentication to find the line:
Change it's value to no, most times, it is changed by default, but it doesn't hurt to cross-check:
Use Ctrl + X to exit, then press Y to save and lastly press the enter key to confirm.
Restart sshd:
sudo systemctl reload sshd
Step 5: Disable root login with SSH
As said above, it is a best practice to disable root:
Open sshd_config using:
sudo nano /etc/ssh/sshd_config
Find this line: PermitRootLogin yes
and change it to: PermitRootLogin no
Restart the SSH daemon with: sudo service ssh restart
Lastly, let's finally set up a basic firewall to further secure our server:
Step 6: Setup The Ufw firewall in Ubuntu
By setting up a firewall, we would be able to control incoming and outgoing connections made to our server. By default, Ubuntu comes preloaded with an app that helps in configuring the firewall, it is known as ufw (uncomplicated firewall).
OpenSSH is the service that allows us to connect to our server, let us tell the firewall to allow SSH connections, so we won't be locked out of our server:
sudo ufw allow OpenSSH
If you get "-bash: ufw: command not found" it means ufw isn't installed, install it using the following command: sudo apt-get install ufw and then you retry the above command.
You can see the Rule as been Updated ↑
Now, enable the ufw firewall using sudo ufw enableand enter y to proceed:
Check the ufw status, and see the server allow to run:
sudo ufw status
ufw status ↑
Congratulation, you are finally done with the initial server setup, you can go on to install other services, control panel, and anything related in setting up your website/app.