Normally if you work at a small startup or have a side project you need to deploy, a dedicated sysadmin may not be at your disposal and you'll end up needing to provision servers on your own.
Most will go with Ubuntu servers - which generally are the easiest to setup, and simply running "apt install ..." should do the job to pull in all the software you need.
But what about security? - this is one of the major pain points for developers.
In this guide I'll cover some basic configurations you can use to make your servers reasonably secure.
Say no to passwords!
Firstly, do not use passwords to login into your server - setup an SSH key with a passphrase instead. In most terminals even on Windows - you can simply run the following command to generate an SSH key pair:
ssh-keygen
Then just add the .pub key to your hosting account, so the next time you setup a server - choose the ssh key option instead of passwords.
Setup special user for SSH access
The first thing you should do when sshing into your server - is setup an SSH only user.
To setup a new ssh user:
sudo adduser yourusername
allow this user to assume root privileges when using sudo
sudo usermod -aG sudo yourusername
Setup the SSH directory
mkdir -p /home/yourusername/.ssh
Setup an authorized file to control which keys can access your server for this user
touch /home/yourusername/.ssh/authorized_keys
nano /home/yourusername/.ssh/authorized_keys
Nano will open up a text editor where you should paste your .pub key so that this user can SSH using that key.
Ensure permissions are set correctly
chmod 600 /home/yourusername/.ssh/authorized_keys
chmod 700 /home/yourusername/.ssh
Next - exit the shell and try to ssh in with this new user. If something fails - double check that the authorized_keys file has the correct permissions and contains your public key exactly as per your .pub file with no extra spaces or extra lines.
Disable password authentication and root access
Now that you have a working SSH user, you can safely turn of SSH access for the root user and disable password authentication by editing your sshd_config file:
nano /etc/ssh/sshd_config
And set the following:
- PasswordAuthentication no
- AllowUsers youruser
- PermitRootLogin no
- Port 8022
It's also a good idea to change the default SSH port from 22 to any other random port e.g. 8022.
Restart your ssh daemon to apply these changes:
sudo service ssh restart
In a new tab (don't exit your current shell) - try to SSH in with this new user and port:
ssh yourusername@ip -p 8022
Finally install and enable a firewall (ufw is probably already installed):
apt install ufw
sudo ufw enable
You can then also enable HTTP, HTTPS and other ports as needed:
sudo ufw allow 8021/tcp
sudo ufw allow http
sudo ufw allow https
This should make your server relatively secure. I also suggest installing fail2ban and isolating SSH access to a VPN or VPC network.
You can learn more about fail2ban here
Top comments (0)