Securing an Ubuntu Server – First Steps
Welcome to my first blog post! I’m writing this as it’s time for me to setup my trillionth server and I figured that my setup steps could be a useful guide for beginners!
Disclaimer!
Step 1 – Backup your Data
This guide is primarily targeted towards users who are setting up a new Ubuntu server. If your server already has valuable files and data on it, make sure to create a backup before you begin, and proceed at your own risk.
Step 2 – Disabling the Root Account
The Issue
When you setup a new Ubuntu server you’ll initially have just one user, the “root” user. The root user has essentially unlimited permissions and can view, modify and delete pretty much anything anywhere on your system. Whilst the root user is great for setting up your server due to its access and permissions, it’s also a high value target for hackers for the same reasons. Furthermore, the “root” account is extremely vulnerable due to it being the default username for almost every distribution of Linux, making it a great first target for hackers.
The Solution
We disable SSH access to the root account! Disabling SSH access to the root account means that when a hacker finds your server and tries to brute force the password for your root account, they’ll be met with a “Permission denied” even if they guess the password right! But hold on, not too fast! If the correct password doesn’t work, how do we login to the server!? We create a new user, one with a username that isn’t extremely common or obvious.
To create a new user
sudo useradd newuser -m
This will create a new user with username “newuser”. The -m flag creates the user a home directory (where they are when they login) which will be in the home folder by default (/home/newuser). If you want to change the name or location of the created home directory, you can simply add the -t flag followed by the path to the directory you want it to be created in. If you want to make the users home directory an existing directory you can remove the flag -m and add the flag -t followed by the path to the directory.
Next, we’ll create a password for our new user. To do this:
sudo passwd newuser
Now we can give our new user administrative privileges (since we’re replacing the root account). In future if you’re not replacing the root account, you’ll want to limit new users to only the permissions they need. We can give our user administrative privileges by adding it to the sudo group like so:
sudo usermod -aG sudo newuser
At this point we should be able to login to our new user! You can switch user using the switch user command (su) like so: su newuser
but I’d recommend closing your ssh connection and creating a new one but logging into your new user instead of root to ensure the new user is functioning correctly.
If you type whoami
it should return the name of your new user! You can also try running sudo whoami
to test if your admin privileges are working. It should ask you for your password then return root since sudo is shorthand for “superuser do” which essentially executes a command as root.
Now we can finally disable SSH to the root account! We can do this by editing the file /etc/ssh/sshd_config
. I’m going to use nano because it’s easy but feel free to use any text editor.
sudo nano /etc/ssh/sshd_config
Use the arrow keys to navigate to PermitRootLogin
and change yes
to no
. Also make sure that there isn’t a #
at the start of the PermitRootLogin
line as this comments it out. Use CTRL+S
to save and CTRL+X
to close.
Step 3 – Adding an SSH Key
The Issue
Passwords get cracked / brute forced all the time. In the age of password dictionaries, data leaks and people posting their whole life online, it’s easier than ever for an attacker to guess or get a hold of your password.
The Solution
SSH keys! SSH keys are a public private key pair (also known as public key cryptography). This isn’t a guide on public key cryptography but in summary, public keys are made publicly available and only the private key can decrypt data that was encrypted using the public key. For instance, if you put your public key on the server and try to login, the server could send you a challenge encrypted with your public key. Since you are in fact yourself and you have your private key, you could decrypt the challenge, solve it and send back the answer. Since only you have your private key and only the private key can decrypt the challenge, the server will know it’s you. If you want to learn more about public key cryptography, you can find that here.
There are many methods of adding SSH keys that all vary depending on which operating system you’re using and which SSH client you’re using (PuTTY has its own method). I’m going to show how to do it on windows the default way and the PuTTY way.
Generating the SSH Key – Windows
Firstly, we want to check the OpenSSH Client is installed. You can make sure OpenSSH Client is installed by going to the windows search bar, searching for “Optional features” and once you’re in optional features search for “OpenSSH Client” and make sure it’s enabled/installed.
Next, we want to generate an SSH Key (You can skip this stage if you already have one). To generate an SSH Key, open your windows command prompt (search for cmd) and run the command ssh-keygen
. You should get a message asking you where you’d like to install the key, I recommend leaving this as default by simply leaving it blank and pressing enter as long as you don’t have any existing keys that it could overwrite. If it prompts you for a password I recommend creating one however this will add a layer of inconvenience. If someone else has access to your computer then definitely use a password.
Great work! You just (potentially) generated your first SSH Key!
Navigate to where you saved the file in file explorer. Once you find the folder there should be a file called id_rsa.pub, this is your public key which is safe to share (DO NOT share id_rsa without the .pub extension as this is the private key and it shouldn’t leave your PC). Open id_rsa.pub with your favourite text editor, the text in this file is your public key which we will add to the server so keep it handy. If you’re not adding a PuTTY key as well you can skip to the section titled “Installing the SSH Key(s)”.
Generating the SSH Key – PuTTY
When you installed PuTTY you should have also installed a program called PuTTYgen, search for it in the windows search bar to verify it’s installed, if not reinstall the latest version of PuTTY.
Open PuTTYgen and click the Generate
button to generate your SSH public/private key pair. Make sure to follow the instructions on screen. Once the key is generated, click Save Private Key
and save the key wherever you like but make sure it’s not somewhere you’ll delete it. If you share your PC with someone else or are willing to accept a little inconvenience for more security, you can create a password for the key. The text in the box at the top of the screen labelled Public key for pasting into OpenSSH authorized_keys file
is your public key which we will add to the server so keep it handy.
Installing the SSH Key(s) – Windows & PuTTY
SSH into your server using the new user we created earlier. Navigate to your home folder (cd ~/
) and run ls -A
which will show you all files and directories including hidden ones that you wouldn’t see with the regular ls
command. If there’s a .ssh
directory then cd into it, otherwise create the directory with sudo mkdir .ssh && cd .ssh
. Next run sudo nano authorized_keys
to open/create the authorized_keys file. Paste the key(s) you got from PuTTY and or Windows into the file making sure each key takes exactly one line and has no spaces before or after. Use CTRL+S
to save and CTRL+X
to close.
Using the SSH Key – Windows
If you created an SSH Key for windows you should simply be able to SSH into your server by running the following in a command prompt:
ssh [email protected]
Obviously replacing newuser with username you created and 127.0.0.1 with your servers IP address. If we were successful, you shouldn’t be prompted for a password.
Using the SSH Key – PuTTY
Open PuTTY and use the navigation down the left to navigate to Connection > SSH > Auth > Credentials
then select the file you saved from PuTTYgen as “Private key file for authentication”. Now you should be able to SSH into your server with PuTTY like you normally would without having to enter a password.
Thank You!
Thanks for reading my first post! I hope it was informative and I was able to teach you something. Feel free to comment any updates/improvements/feedback! 🙂