Introduction
After installation Ubuntu Server 22.04 distribution kit, you have to do some steps to configure system security and for ease of use.
Stage 1 - Authorization with a Root account
We are going to deploy a clean server in the cloud server and "root" will be only available account. When you are going to create a server, there are two options of connection:
- By SSH-key;
- By login and password.
The “root” user has more privileges than regular users. When using some commands as root, they can lead to malfunctions. Usually a change in the configuration file, restarting services, opening ports, and others. For this reason, it is necessary to create a new user and execute commands using sudo. The risk will definitely decrease. Privileges and restrictions on the user are issued from the root side, using the usermod command.
If you are connecting via SSH-key you should use instructions on this topic. During the creation of the server use the login and password, a password for the root user will be generated, this connection method is considered less secure.
The connection to the server is as follows:
ssh root@ip_addressAfter that, you need to specify either a password, or there must be a corresponding key file in the .ssh directory. We agree with the authenticity of the server. Connecting with an SSH key may require a passphrase and must be entered.
In the next step, we will create a system user for use with certain privileges and restrictions on use.
Stage 2 – Adding a new system user
When you first log in as root, you should add a new user to the system using the command:
useradd -m test_userYou can replace test_user at your discretion. The -m switch creates a folder in the home directory for the test_user user and makes the user the owner.
You must set a password for the user:
passwd test_userWe enter a new password and confirm, you must use a complex password and write it down in your notes. The password will be required when using the sudo command.
Stage 3 – Granting administrative privileges
After creating a user, you need to add it to the sudo group. We use the command:
usermod -aG sudo test_serverThe "a" key indicates the addition, the "G" key indicates the group, followed by the name of the group and the user to be added.
When creating a user, there are no access rights and privileges. At normal times, you should restart the server, make changes to the configuration file of a particular or several services.
Stage 4 – Initial Basic Firewall Setup
Ufw is a firewall utility, each installed package is added to the ufw rule. Our SSH connection also goes through the corresponding ufw rule. Checking the status of applications is done as follows:
ufw statusIn the output, we get data about open ports and about applications that have been added to ufw.
The following command allows you to list applications that are currently running continuously with ufw
ufw app list#Output
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSHTo make sure there are no problems connecting, let's allow OpenSSH connection by running the following command:
ufw allow OpenSSHTurn on the firewall and agree:
ufw enableLet's check the status of the application and the SSH connection is still up to date:
ufw status#Output
Status: active
To Action From
__ ________ _________
OpenSSH ALLOW AnywhereNow ufw blocks all external connections except OpenSSH.
Stage 5 – Permission to connect remotely to a user
Open a command prompt and enter the command:
ssh test_server@ip_addressYou must enter a password when creating an account. Let's execute the command using sudo (see Screen 1), for example:
sudo apt install neovim
After a user has been created, the default shell is the shell. If you need to change to bash, you can run the command:
sudo chsh -s /bin/bash test_serverYou should re-authorize as user test_user and check the command interpreter:
echo $0
#Output -bashWhen connecting via SSH key to root
The .ssh directory is stored in the user's root directory, the authorized_keys file in the directory is responsible for the SSH keys, you should copy and paste the file in the user's /home/test_server/.ssh/ directory.
It is more convenient to use rsync to change the path of the directory, the owner of the file while maintaining permissions:
rsync --archive --chown=test_server:test_server ~/.ssh /home/test_serverLet's connect:
ssh test_server@ip_addresThe connection will be successful, it remains only to work in the system for your own benefit!
Conclusions
- Ufw - helper for secure connections to the server.
- The SSH key does not allow connection to the server without a unique key.
- A user with sudo rights reduces the risk of errors in the operation of the server, compared to commands executed on behalf of root.
