Recommended installs
sudo apt update -yq && sudo apt upgrade -y && sudo apt install nginx fail2ban htop supervisor screen iptables-persistent mc -y- nginx – reverse proxy
- fail2ban – scans logs, bans failed password attempts
- htop – pretty process viewer
- supervisor– monitors and controls applications
- screen – manage persistent virtual terminals on server
- iptables-persistent – Persistent iptables take care of automatic loading of saved firewall rules from /etc/iptables/rules.v4 for IPv4 and /etc/iptables/rules.v6 for IPv6. Reload iptables rules with
netfilter-persistent reload. Tryiptables -L, and you should see your rules in output.
Disable root login
- Login to server as root
ssh root@hostname - Add new user
adduser foobar - Add root access for your user
visudoBelow # User privilege specification add line:
foobar ALL=(ALL:ALL) ALLSave file and exit.
- Configure ssh
Edit/etc/ssh/sshd_config. Add following lines at the end of file.PermitRootLogin no # disables root login UseDNS no AllowUsers foobar - Save file and exit, reload ssh
service ssh reload
Now you should be able to login with foobar, and not with root.
Change SSH port
Not necessary, but preferable as a security measure. Keeps your /var/log/auth.log less crowded with strange login attempts.
- Edit
/etc/ssh/sshd_configagain.nano /etc/ssh/sshd_config - Locate line
# Port 22
Remove # and change 22 to another port - Save file and exit, reload ssh
service ssh reload - Login to your server
ssh root@hostname -p <your_new_ssh_port>
Configure passwordless login
- Create ssh key on your local machine
ssh-keygen -t rsa - Create .ssh/authorized_keys on your server
ssh foobar@hostname 'mkdir .ssh | touch .ssh/authorized_keys' - Copy your ssh key directly to your server
cat ~/.ssh/id_rsa.pub | ssh foobar@hostname 'cat >> .ssh/authorized_keys' - Try to login again. Server shouldn’t require a password.