One of the most important tasks when setting up any new public facing server is ensuring that it’s secure!
Before proceeding I want to point out that I’m fully aware of SSH keys and their purpose. In fact I use SSH keys over this method but I know some people don't require or prefer keys over passwords.
For the purpose of this guide I’ve chosen a Nanode VPS from Linode in their London, UK data centre which includes:
The first thing I do whenever I’m provisioning a new server for any purpose is secure access to it. To do this, I’m going to create a new user account called ‘admin’ with sudo privileges which will always be used for accessing the server and running commands. Remote root access will be disabled.
Run the adduser command then follow the on-screen prompts to set your password and other information if necessary.
sudo adduser admin
Now that we’ve setup the ‘admin’ user it’s time to give it sudo privileges.
sudo usermod -aG sudo admin
You’ve now created a new user called ‘admin’ with sudo privileges which will allow you to access your server via SSH.
Note: I would recommend testing the new user before proceeding any further by opening a new SSH session to your server.
It’s likely that soon (if not already) someone will capture your servers IP address and attempt to brute force port 22. So, we’re going to change the listening port for SSH from port 22 to 22334.
sudo nano /etc/ssh/sshd_config
As you make your way down the config you’ll see that the line for the port number is commented out. Simply uncomment, change the port number and save the file.
Now that we’ve changed the port number to something different lets disable remote root access before opening a new session with the new port as we’re currently connected on port 22.
It goes without saying but you really do not want anyone getting unauthorised and unwanted access to your server, especially root access so, lets prevent that from happening.
To do this we’re going to edit the ‘sshd_config’ file again.
sudo nano /etc/ssh/sshd_config
This time we’re looking for the line that reads
PermitRootLogin yes and we’re simply going to change it to
These changes will not take effect until you restart the sshd service.
sudo service sshd restart
Now we can test the new port number and login with the ‘admin’ user.
ssh -p 22334 [email protected]
Ubuntu ships with ufw pre-installed, however, if for some reason you don’t have the package installed you can install it using apt-get.
sudo apt-get install ufw
Now lets set the default inbound rule to deny traffic unless explicitly allowed.
sudo ufw default deny incoming
If at this stage you enable the firewall it will block all connections inbound including SSH (22), FTP (21), etc so hold on until we’ve created some more rules.
Lets enable your newly configured port (22334) for inbound access.
sudo ufw allow 22334
Finally we need to enable the firewall.
sudo ufw enable
That’s it. You now have a server that can only be accessed using a custom port and a non-root user.
I’ll likely add in some other measures of security in the future. This guide is just an entry overview for securing your server at a basic level.