How to set up ubuntu secure ssh login (AWS & Digital Ocean)

Ubuntu Initial Setup: setup ubuntu secure ssh login on digitalocean or Amazon Web Services EC2 instance

Download PDF:  Download Secure Login Cheat Sheet PDF

This post is a “cut to the chase”, “gitter dun” list of things to do for initial setup of an ubuntu server. To gain a deeper understanding of the process of securing your new ubuntu server, consult this well written article posted by ubuntu on the subject.

When starting up a new ubuntu server it is best to immediately take steps to secure the access to the server with the following steps.

As root, connect via ssh.

local $>  ssh root@45.55.28.82   ( you might need -i ~/<some rsa.pub> )

As root, make a new user .

remote $> adduser <user>

As root, make the new user have sudo privileges.

remote $> gpasswd -a <user> sudo

Make ssh rsa keypair for the new user.

local $> ssh-ketgen

Copy local RSA key to remote authorized_keys
Digital Ocean

local $> cat ~/.ssh/digitalocean_rsa.pub | ssh @ "mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys"

AWS

local $> cat ~/.ssh/id_rsa.pub | ssh -i ~/AWS_pems/.pem ubuntu@54.67.13.73 "sudo mkdir -p /home//.ssh && sudo chmod -R 777 /home//.ssh && cat >> /home//.ssh/authorized_keys && sudo chmod -R 700 /home//.ssh && sudo chown -R : /home//.ssh && sudo chmod -R 600 /home//.ssh/authorized_keys"

What this does on AWS ubuntu server:

cat ~/.ssh/id_rsa.pub | ssh -i ~/AWS_pems/.pem ubuntu@54.67.13.73
sudo mkdir -p /home//.ssh
sudo chmod -R 777 /home//.ssh
cat >> /home//.ssh/authorized_keys
sudo chmod -R 700 /home//.ssh
sudo chown -R : /home//.ssh
sudo chmod -R 600 /home//.ssh/authorized_keys

As root, make /home/.ssh/authorized_keys have restricted access.

remote $> chmod 600 .ssh/authorized_keys

Passwordless Authentication: Configure ssh daemon
Edit sshd_config file to ensure that users can only connect with their SSH key

remote $>nano /etc/ssh/sshd_config

Make the following edits to the file. Search for the following settings and set them to the values shown below.

[ inside file ]   PermitRootLogin without-password
...
[ inside file ]   RSAAuthentication yes
...
[ inside file ]   PubkeyAuthentication yes
...
[ inside file ]   AuthorizedKeysFile      .ssh/authorized_keys
...
[ inside file ]   PasswordAuthentication no  <-- (default is yes)

Then restart the ssh service

remote $>service ssh restart

IMPORTANT: Before you log out, TEST.
Open a NEW TERMINAL use the new user to login.

 

Leave a Reply

Your email address will not be published.