Basic setup
Time to log in !
(replace IP by your server's IP or FQDN)
Confirm the fingerprint authenticity, type password, and here you are: shell as root.
First things first:
Using a separate account
If you know a bit about GNU/Linux, you know that root is the "full access" account, the one that can do everything on the system. With so much power, you can guess that many bots and other intrusion attempts are trying to log as root. So we gonna create a "normal" user account, give it sudo power, and then deactivate root login from OpenSSH.
(replace "hermes" by the user name of your choice, try to avoid "server", "admin" and other common account names)
When asked for the password, choose a good password: at least 6 characters long, mixing upper and lower case, with numbers and special characters. "I am the Master of the Universe!" is a good one, your birth date or pet's name isn't
Of course you have to remember the password, don't write it anywhere. Leave the rest blank (full name, room number,..).
This adds your user account to the "sudo" group, which will allow it to execute administrative commands.
Log out from server.
Login as the created user account.
Listing of the root folder, this is just to make sure the account can use "sudo" commands.
Deactivating remote root login
Once you're sure you can run "sudo" commands, it's time to prevent root login on OpenSSH. To do this we will use VIM: a console text editor.
To activate the "insertion" mode, press the "i" key. To exit the mode, press the "Esc" key. To write to disk (save), enter ":w" and press Enter. To exit VIM, enter ":q" and press Enter. Get it ?
Now look for this line with the arrow keys:
Activate insertion mode, change "yes" into "no", exit mode, save, exit VIM. On the keyboard: "i del del del 'no' Esc :w Enter :q Enter". Take your time
Upgrading the system
To make sure your server is running the newest software, upgrade it.
Code: Select all
sudo apt-get update && sudo apt-get dist-upgrade -y
Reinforcing server security
Ubuntu provides quite new and safe software, but the server has to stay up-to-date and should be capable to deny flooding login attempts. Let's prepare it for the next step too (PPA).
Code: Select all
sudo apt-get install unattended-upgrades fail2ban software-properties-common
Now, let's configure the unattended-upgrades.
Code: Select all
sudo dpkg-reconfigure -plow unattended-upgrades
Select "yes" for updating stable packages.
Code: Select all
sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
Look for this line:
Code: Select all
// "${distro_id}:${distro_codename}-updates";
Change it like this (just remove the // ):
Code: Select all
"${distro_id}:${distro_codename}-updates";
You can set autoreboot to true if you want to, but I don't recommend it since it makes the server reboot while it can be very much needed. Most of the time reboot is required for kernel updates, but this happens only once in 2-4 months anyway.
By default fail2ban denies connections for 10 minutes after 6 wrong login attempts, together with a non-standard username and good password, getting into your server would take.. at least a few centuries, I guess
If you want to set it even stronger, edit "/etc/fail2ban/jail.conf".
So you have installed "software-properties-common": this brings in "python-software-properties", and these 2 are needed to run the next command:
Code: Select all
sudo add-apt-repository ppa:cherokee-webserver/ppa
Confirm the repository addition. Let's finish this step with this:
and a little reboot:
In the next post, we gonna install and configure the web server: Cherokee !