In our previous articles we have been using root user, which is the first and only user created when the server is created. Now we will create a non-root user and lock down the server. The root user has gloabl access of the server and everything in the server. Root is often too powerful for standard operations, therefore we will create a non-root user. Besides creating a non-root user we will add our ssh keys to the server and modify the config files. As of right now if you followed this guide from the begining, our root user has a ssh key set-up if you added it when you created the server in Rackspace. (anchorlink to section) However, this will become ineffective once you lockdown server.
Part 1 - Adding a New User
To add a new user use the adduser command.
This will add a new user and group and directory with your new user name. It will ask for your password, password confimation and a few questions.
As root we will add the new user to the group sudo with the code below.
gpasswd -a 'newusername' sudo
Now your new user has super-user privileges.
Part 2 - SSH Authentication
Next, we will send our ssh key to the server. Exit server and type command below.
This will create your ssh folder on the server and will add your keys to the authorized_keys file. To test this ssh key use:
And you will see you are immediatly logged in without a password needed. With ssh access for our new user and super privileges we can now lockdown ssh.
Part 3 - Port Security
Ssh runs on port 22, however, this port is considered insecure for production use. We can change the port number to anytihng from port 1025 to port 65536. We will pick a four digit port. To change the port modify the the ssh_config file.
And we will change the port number in the line below. Or you can rem out the line below and add a new line with the new port number.
# What ports, IPs and protocols we listen for -> # What ports, IPs and protocols we listen for
Port 22 #Port 22
We will also disable remote or ssh root access. Please note this will make your root user access ineffect. To do this change the line below from yes to no.
Save and exit and restart ssh.
service ssh restart
From now on to ssh into the server using a non-standard port you must add the port into your ssh command. Otherwise you must add this port into your own local config file in your .ssh folder. Add the new lines below:
Part 4 - Disabling Passwords on Server
Since we are using ssh keys we no longer need passwords, making our server even more secure. To disable passwords edit the sshd_config files once again.
Will change the line below from yes to no. Once this is complete restart ssh.
Now your new server is more secure.