Initial Server Setup
When your new server boots, you should immediately take steps to secure user logons before installing any apps or services. If you already know the basics and want to perform these steps in an automated way, you can jump to Security Automation with Ansible.
Create new non-root user
1. Connect to Server
From the terminal on your local machine, connect to your server using Secure Shell (SSH).
2. Update OS (Debian-based systems)
3. Create new sudo user
Use the adduser command to create a new non-root user. This is the user through which you will manage the server.
Enter and confirm a new password for this user. It's highly recommended to create a long random string with a password generator and store it in your password manager. A long random password will help defend against brute force attacks. Add the user to the sudo group with the usermod command.
Confirm the new user was created and belongs to the sudo group.
Secure logins with SSH keys
The following steps will enable logging in with cryptographic keys and remove the ability to log in with a password. This helps prevent bad actors from brute force password attacks.
4. Create a new SSH key
From your local machine run this command to generate a new SSH key with the ed25519 algorithm, which provides a great balance of speed and stregnths compared to its key length.
Reference: https://www.ssh.com/academy/ssh/keygen
It's recommend to enter a passphrase for the SSH key. This will help in protect the key if it is compromised.5. Copy the SSH key to your new server
Method 1: Using ssh-copy-id
Can can easily copy the key to the server with the ssh-copy-id command. From your local machine, run:
Method 2: Copy the key manually
To manually copy the SSH key to your new server, run the following commands on the new server.
Switch to new user, make new .ssh directory under the new user's home directory, change ownership to new user, and create authorized_keys file.
su <admin_username>
cd ~
sudo mkdir .ssh
sudo chown -R <admin_username>:<admin_username> ~/.ssh
sudo nano ~/.ssh/authorized_keys
Open the public key SSH key file in a text editor, (it should be located at ~/.ssh/id_ed25519_<server_name>.pub or XXX on Windows.) Paste the content of the public key into the authorized_keys file on the new server. Type Ctrl+O to save and Ctrl+Xto exit.
Reference: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-22-04
6. Disable Password and Root Login
Edit the sshd_config file on the new server. R
Find the following lines in the file. Delete any preceding hash marks (#) to uncomment the lines, and change yes to no.
7. Restart the SSH service.
Reference: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu#step-5-allowing-other-connections
8. Test the SSH login
From your local machine, try loggin with via password authentication.
This login attempt should fail. If you are still able to log in this way, there may be another configuration file that is allowing this access.
Ubuntu/Debian distributions have the non-standard entry
Include /etc/ssh/sshd_config.d/*.confat the beginning of the distribution sshd_config. The purpose of this is to allow users to customize theirsshdconfiguration without modifying the coresshd_configfile, which can minimize conflicts or unexpected configuration changes on apt update of OpenSSH.Because the first encountered configuration line is the one applied, any password commands in a custom configuration file in
/etc/ssh/sshd_config.d/*.confwill pre-empt thePasswordAuthentication noline in the primary configuration. Ensure that all configuration is as you expect.Source: https://unix.stackexchange.com/questions/727492/passwordauthentication-no-but-i-can-still-login-by-password
Once you confirm that password authenticaion fails, try to log in with the SSH key.
When you are finally able to log in with your SSH key and only with your SSH key, you are ready to move forward.