Ubuntu Initial Setup: setup ubuntu secure ssh login on digitalocean or Amazon Web Services EC2 instance
Download PDF: Download Secure Login Cheat Sheet PDF
This post is a “cut to the chase”, “gitter dun” list of things to do for initial setup of an ubuntu server. To gain a deeper understanding of the process of securing your new ubuntu server, consult this well written article posted by ubuntu on the subject.
When starting up a new ubuntu server it is best to immediately take steps to secure the access to the server with the following steps.
As root, connect via ssh.
local $> ssh email@example.com ( you might need -i ~/<some rsa.pub> )
As root, make a new user .
remote $> adduser <user>
As root, make the new user have sudo privileges.
remote $> gpasswd -a <user> sudo
Make ssh rsa keypair for the new user.
local $> ssh-ketgen
Copy local RSA key to remote authorized_keys
local $> cat ~/.ssh/digitalocean_rsa.pub | ssh @ "mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys"
local $> cat ~/.ssh/id_rsa.pub | ssh -i ~/AWS_pems/.pem firstname.lastname@example.org "sudo mkdir -p /home//.ssh && sudo chmod -R 777 /home//.ssh && cat >> /home//.ssh/authorized_keys && sudo chmod -R 700 /home//.ssh && sudo chown -R : /home//.ssh && sudo chmod -R 600 /home//.ssh/authorized_keys"
What this does on AWS ubuntu server:
cat ~/.ssh/id_rsa.pub | ssh -i ~/AWS_pems/.pem email@example.com sudo mkdir -p /home//.ssh sudo chmod -R 777 /home//.ssh cat >> /home//.ssh/authorized_keys sudo chmod -R 700 /home//.ssh sudo chown -R : /home//.ssh sudo chmod -R 600 /home//.ssh/authorized_keys
As root, make /home/.ssh/authorized_keys have restricted access.
remote $> chmod 600 .ssh/authorized_keys
Passwordless Authentication: Configure ssh daemon
Edit sshd_config file to ensure that users can only connect with their SSH key
remote $>nano /etc/ssh/sshd_config
Make the following edits to the file. Search for the following settings and set them to the values shown below.
[ inside file ] PermitRootLogin without-password ... [ inside file ] RSAAuthentication yes ... [ inside file ] PubkeyAuthentication yes ... [ inside file ] AuthorizedKeysFile .ssh/authorized_keys ... [ inside file ] PasswordAuthentication no <-- (default is yes)
Then restart the ssh service
remote $>service ssh restart
IMPORTANT: Before you log out, TEST.
Open a NEW TERMINAL use the new user to login.