Introduction
A few mouse clicks and several minutes are enough to get Ubuntu server in Serverspace cloud.
After server installation:
- root account is only existing;
- standard port 22 is in use for SSH server;
- no firewall in the OS;
- time zone is UTC.
It is recommended to perform several actions to increase security:
- there is no need to use root account for regular tasks because of chances to damage OS when running wrong command (either typo or some configuration misunderstanding). Instead, new regular user should be created and granted administrative permissions. Also, many attackers are searching servers in internet for opened port 22 and try to brute root password – common recommendation is disabling connection for root in SSH config and connect with regular user;
- change SSH port from 22 to unused one – it will decrease amount of connection attempts from outside;
- install UFW (Uncomplicated FireWall) to restrict unwanted connections to your server;
- set proper time zone to get correct time of events when analyzing system logs.
Creating new user and granting permissions
Connect to the server with root account:
ssh root@server_ip
Run this command to create new regular user:
useradd -m -s /bin/bash myuser
It will add user with name myuser to the system (option "-m" is used to create home directory).
Set a complex password:
passwd myuser
Characters entered will not be visible (security reason) and it must be entered twice to ensure new password is set correctly.
Using utility “sudo” is a way to provide administrative privileges for a regular user. Ubuntu has the user group named “sudo” by default and user from this group can run any command (typing sudo prior desired command). It is enough to add new user to this group:
usermod -aG sudo myuser
Disconnect from the server and connect again with new user:
ssh myuser@server_ip
Check if sudo is available:
sudo less /etc/sudoers
Content of the file /etc/sudoers should be shown on the screen. It means myuser has needed permissions. root user can be disabled – next paragraph shows modifying SSHProtocol for secure access to remote systemsLearn more server config file.
Making changes in SSH server config file
Edit file /etc/ssh/sshd_config in your preferable text editor, e.g. in nano:
sudo nano /etc/ssh/sshd_config
Find the commented string with port assignment "#Port 22":
Uncomment it and set another port number (the one which is not used in the system), e.g., 4680:
Next, in section "Authentication" find the string "PermitRootLogin prohibit-password" and replace it with "PermitRootLogin no":
Save the changes and close the file. Restart SSH server to apply changes:
systemctl restart sshd.service
Try to login with root account and port 4680:
ssh root@server_ip -p 4680
You will get error message because root is not allowed to connect anymore. Connect with myuser:
ssh myuser@server_ip -p 4680
The connection should be allowed.
Installing UFW
New installed Ubuntu server has no firewall rules by default and connections from outside are not restricted. UFW is used to create the rules, installation is simple:
sudo apt update && sudo apt install ufw
After installation UFW is not enabled:
Create new rule to allow port 4680 for SSH connections (replace with your port if differs):
sudo ufw allow 4680/tcp comment 'Allow SSH connections'
Enable UFW:
sudo ufw enable
Check the status – it will show current status and created rule also:
Other services and ports can be added in the same way, e.g., to add port 443 for NGINX:
sudo ufw allow 443/tcp comment 'Allow HTTPS'
There is additional our publication where is described how to use UFW – Common UFW commands
Setting time zone
Check current time settings:
timedatectl
Currently it is UTC. Available time zones are shown with the command:
timedatectl list-timezones
Chose desire one to set. For example, you need to set time zone for Chicago then run:
sudo timedatectl set-timezone "America/Chicago"
Check current time zone once again:
Now events in system logs have proper time registration.
