Recommended installs
sudo apt update -yq && sudo apt upgrade -y && sudo apt install nginx fail2ban htop supervisor screen iptables-persistent mc -y
- nginx – reverse proxy
- fail2ban – scans logs, bans failed password attempts
- htop – pretty process viewer
- supervisor– monitors and controls applications
- screen – manage persistent virtual terminals on server
- iptables-persistent – Persistent iptables take care of automatic loading of saved firewall rules from /etc/iptables/rules.v4 for IPv4 and /etc/iptables/rules.v6 for IPv6. Reload iptables rules with
netfilter-persistent reload
. Tryiptables -L
, and you should see your rules in output.
Disable root login
- Login to server as root
ssh root@hostname
- Add new user
adduser foobar
- Add root access for your user
visudo
Below # User privilege specification add line:
foobar ALL=(ALL:ALL) ALL
Save file and exit.
- Configure ssh
Edit/etc/ssh/sshd_config
. Add following lines at the end of file.PermitRootLogin no # disables root login UseDNS no AllowUsers foobar
- Save file and exit, reload ssh
service ssh reload
Now you should be able to login with foobar, and not with root.
Change SSH port
Not necessary, but preferable as a security measure. Keeps your /var/log/auth.log less crowded with strange login attempts.
- Edit
/etc/ssh/sshd_config
again.nano /etc/ssh/sshd_config
- Locate line
# Port 22
Remove # and change 22 to another port - Save file and exit, reload ssh
service ssh reload
- Login to your server
ssh root@hostname -p <your_new_ssh_port>
Configure passwordless login
- Create ssh key on your local machine
ssh-keygen -t rsa
- Create .ssh/authorized_keys on your server
ssh foobar@hostname 'mkdir .ssh | touch .ssh/authorized_keys'
- Copy your ssh key directly to your server
cat ~/.ssh/id_rsa.pub | ssh foobar@hostname 'cat >> .ssh/authorized_keys'
- Try to login again. Server shouldn’t require a password.