One of the most important tasks when setting up any new public facing server is ensuring that it’s secure!
Before proceeding I want to point out that I’m fully aware of SSH keys and their purpose, however, this guide is a basic low-level set of steps to secure your server. I choose to adopt this method over keys as a matter of preference because just like everything else SSH keys vs passwords have pros and cons to each.
Pre-requisites for this guide
- A server running Ubuntu 16 or above (Linode)
- Root access
For the purpose of this guide I’ve chosen a Nanode VPS from Linode in their London, UK data centre which includes:
- 1GB RAM
- 1 vCPU
- 1TB bandwidth
- Ubuntu 18.04
Step 1: Create a new user with sudo privileges
The first thing I do whenever I’m provisioning a new server for any purpose is secure access to it. To do this, I’m going to create a new user account called ‘admin’ with sudo privileges which will always be used for accessing the server and running commands. Remote root access will be disabled.
Run the adduser command then follow the on-screen prompts to set your password and other information if necessary.
sudo adduser admin
Now that we’ve setup the ‘admin’ user it’s time to give it sudo privileges.
sudo usermod -aG sudo admin
You’ve now created a new user called ‘admin’ with sudo privileges which will allow you to access your server via SSH.
Note: I would recommend testing the new user before proceeding any further by opening a new SSH session to your server.
Step 2: Change default SSH port
It’s likely that soon (if not already) someone will capture your servers IP address and attempt to brute force port 22. So, we’re going to change the listening port for SSH from port 22 to 22334.
sudo nano /etc/ssh/sshd_config
As you make your way down the config you’ll see that the line for the port number is commented out. Simply uncomment, change the port number and save the file.
Now that we’ve changed the port number to something different lets disable remote root access before opening a new session with the new port as we’re currently connected on port 22.
Step 3: Disable remote root access
It goes without saying but you really do not want anyone getting unauthorised and unwanted access to your server, especially root access so, lets prevent that from happening.
To do this we’re going to edit the 'sshd_config' file again.
sudo nano /etc/ssh/sshd_config
This time we’re looking for the line that reads
PermitRootLogin yes and we’re simply going to change it to
These changes will not take effect until you restart the sshd service.
sudo service sshd restart
Now we can test the new port number and login with the ‘admin’ user.
- If using PuTTY on Windows: enter port 22334 in the port field.
- If using terminal on Mac:
ssh -p 22334 [email protected]
Step 4: Configure linux firewall (ufw)
Ubuntu ships with ufw pre-installed, however, if for some reason you don’t have the package installed you can install it using apt-get.
sudo apt-get install ufw
Now lets set the default inbound rule to deny traffic unless explicitly allowed.
sudo ufw default deny incoming
If at this stage you enable the firewall it will block all connections inbound including SSH (22), FTP (21), etc so hold on until we’ve created some more rules.
Lets enable your newly configured port (22334) for inbound access.
sudo ufw allow 22334
Finally we need to enable the firewall.
sudo ufw enable
That’s it. You now have a server that can only be accessed using a custom port and a non-root user.
I’ll likely add in some other measures of security in the future. This guide is just an entry overview for securing your server at a basic level.