When you create a new Ubuntu 16.04 server for the first time, you should take some configuration steps as part of the basic setup as early as possible. This will improve the security and availability of the server and lay a solid foundation for subsequent operations.
To log in to the server, you need to know the public IP address of the server. You will also need a password, or if you have an SSH key installed for authentication, the private key of the "root" user account.
If you are not connected to the server, continue to log in as the root user using the following command (replace the highlighted word with the server's public IP address):
ssh root@your_server_ip
Complete the login process by accepting the warning about the authenticity of the host (if it appears), and then provide root authentication (password or private key). If this is the first time you use a password to log in to the server, the system will also prompt you to change the root password.
The root user is an administrative user in a Linux environment with very broad permissions. Due to the increased permissions of the root account, you are actually not encouraged to use it regularly. This is because part of the inherent power of the root account is the ability to make very destructive changes even accidentally.
The next step is to set up an alternate user account to reduce the scope of daily work. We will teach you how to get more privileges when needed.
Once you are logged in as the root user, we are ready to add a new user account that we will use to log in from now on.
This example creates a new user named "sammy", but you should replace it with your favorite username:
adduser sammy
Starting with the account password, you will be asked several questions.
Enter a strong password and, if you wish, you can choose to fill in any other information. This is not necessary, you just need to click ENTER to skip any fields you want to skip.
Now we have a new user account with regular account permissions. However, we may sometimes need to perform administrative tasks.
To avoid having to log out of ordinary users and log in again as root accounts, we can set so-called "super users" or root privileges for ordinary accounts. This will allow ordinary users to run commands with administrative privileges by placing the word sudo before each command.
To add these permissions to a new user, we need to add the new user to the "sudo" group. By default, on Ubuntu 16.04, users belonging to the "sudo" group are allowed to use the sudo command.
As for root, run this command to add the new user to the sudo group (replace the highlighted word with the new user):
usermod -aG sudo sammy
Now your users can run commands with superuser privileges!
If you want to improve the security of your server, follow the remaining steps in this tutorial.
The next step in securing the server is to set up public key authentication for new users. Setting this option will increase the security of the server by requiring private key SSH key login.
If you do not have an SSH key pair (including public and private keys), you need to generate a key pair. If you already have the key you want to use, please skip to the copy public key step.
To generate a new key pair, enter the following command on the terminal of the local computer (that is, your computer):
ssh-keygen
Assuming your local user name is "localuser", you will see output like the following:
Generating public/private rsa key pair.
Enter file in which to save the key(/Users/localuser/.ssh/id_rsa):
Click Back to accept the file name and path (or enter a new name).
Next, you will be prompted to enter a password to protect the key. You can enter the passphrase or leave the passphrase blank.
**Note: **If you leave the password blank, you can use the private key for authentication without entering a password. If you enter a pass phrase, you need a private key * and * pass phrase to log in. Using passphrases to protect keys is more secure, but both methods have their uses and are more secure than basic password authentication.
This will generate the private key id_rsa and the public key id_rsa.pub in the .ssh directory of the home directory of localuser. Remember, you should not share the private key with anyone who shouldn't access your server!
After generating the SSH key pair, you need to copy the public key to the new server. We will introduce two simple methods.
Note: ssh-copy-id If an SSH key is selected during the creation of the Droplet, this method will not work on DigitalOcean. This is because if an SSH key exists, DigitalOcean will disable password verification and ssh-copy-id relies on password verification to copy the key.
If you used DigitalOcean and selected an SSH key during the creation of your Droplet, please use Option 2 instead.
If the script ssh-copy-id is installed on the local computer, you can use it to install the public key to any user with login credentials.
Run the ssh-copy-id script by specifying the user and IP address of the server where you want to install the key, as shown below:
ssh-copy-id sammy@your_server_ip
After providing the password at the prompt, your public key will be added to the remote user's .ssh/authorized_keys file. Now you can log in to the server with the corresponding private key.
Assuming that you generated an SSH key pair using the previous step, please use the following command on the terminal of the local computer to print your public key (id_rsa.pub):
cat ~/.ssh/id_rsa.pub
This should print your public SSH key, and it should resemble the following:
id_rsa.pub contentsssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf [email protected]
Select the public key and copy it to the clipboard.
To use the SSH key as a new remote user for authentication, the public key must be added to a special file in the user's home directory.
On the server, enter the following command as the root user to temporarily switch to the new user (replace your own username):
su - sammy
You will now enter the new user's home directory.
Create a new directory named .ssh and restrict its permissions using the following command:
mkdir ~/.ssh
chmod 700~/.ssh
Now use a text editor to open a file called authorized_keys in .ssh. We will use nano to edit the file:
nano ~/.ssh/authorized_keys
Now insert the public key by pasting it into the editor (it should be in the clipboard).
Click CTRL-x to exit the file, then press y to save your changes, and then press ENTER to confirm the file name.
Now use the following command to restrict the permissions of the authorized_keys file:
chmod 600~/.ssh/authorized_keys
Type this command once to return to the root user:
exit
Now that the public key is installed, you can use the SSH key to log in as a user.
Next, we will show you how to improve server security by disabling password authentication.
Now that your new users can log in with SSH keys, you can increase the security of the server by disabling password-only authentication. Doing so will restrict SSH access to the server to only public key authentication. That is, the only way to log in to the server (except the console) is to have the private key paired with the installed public key.
**Note: **If you install the public key for the user as suggested in step 4 of the previous section, only password verification is disabled. Otherwise, you will lock your server!
To disable password verification on the server, follow the steps below.
Open the SSH daemon configuration as root** user** or new sudo user:
sudo nano /etc/ssh/sshd_config
Find the line specifying PasswordAuthentication, uncomment it by deleting the preceding #, and then change its value to "no". After making the changes, it should look like this:
PasswordAuthentication no
The following are two other settings that are important for key-only authentication, the default settings. If you have not modified this file before, then no need to change these settings:
PubkeyAuthentication yes
ChallengeResponseAuthentication no
After making the changes, save and close the file using the method we checked before (CTRL-X then Y, then ENTER).
Enter to reload the SSH daemon:
sudo systemctl reload sshd
Password verification is now disabled. Your server can now only be accessed via SSH key authentication.
Now, before you log out of the server, you should test the new configuration. Please do not disconnect until you can successfully log in via SSH.
In the new terminal on the local computer, log in to your server using the new account we created. To do this, use this command (replace your username and server IP address):
ssh sammy@your_server_ip
If you add public key authentication to the user, as described in Step 4 and Step 5, your private key will be used for authentication. Otherwise, you will be prompted to enter the user password.
**Note on key authentication: **If you use a password to create a key pair, you will be prompted to enter the key password. Otherwise, if your key pair is no passphrase, you should log in to your server without a password.
Once authentication is provided to the server, you will log in as the new user.
Remember, if you need to run a command with root privileges, type "sudo" before that:
sudo command_to_run
Ubuntu 16.04 servers can use the UFW firewall to ensure that only certain services are allowed to connect. We can easily set up a basic firewall using this application.
Different applications can use UFW to register their configuration files during installation. These configuration files allow UFW to manage these applications by name. OpenSSH is a service that allows us to connect to our server now, and it registers a configuration file on UFW.
You can enter the following to see:
sudo ufw app list
Available applications:
OpenSSH
We need to make sure that the firewall allows SSH connections so that we can log in again next time. We can enter the following to allow these connections
sudo ufw allow OpenSSH
After that, we can enter the following command to enable the firewall:
sudo ufw enable
Type "y" and press ENTER to continue. You can view the SSH connection by typing:
sudo ufw status
Status: active
To Action From
------------
OpenSSH ALLOW Anywhere
OpenSSH(v6) ALLOW Anywhere(v6)
If you install and configure other services, you will need to adjust your firewall settings to allow acceptable traffic.
At this point, your server foundation is solid. You can now install any software you need on the server.
For more Ubuntu tutorials, please go to [Tencent Cloud + Community] (https://cloud.tencent.com/developer?from=10680) to learn more.
Reference: "Initial Server Setup with Ubuntu 16.04"
Recommended Posts