In this guide, we'll go over some of the best practices for creating your first secure server. We will analyze the whole process step by step, and as a result, we will get a server that is completely ready to use in production for your application. Of course, this is not a comprehensive guide. A secure server is a constant search for new resources and endless improvements. But with this material, you can start building your own infrastructure.
We'll use Amazon EC2 to run the tests, but you can also use Amazon LightSail, Digital Ocean, Vultr, or another service. They are all configurable in the same way, so choose the one you like.
Create public and private SSH keys
First, let's create a pair of keys that some hosts will need when installing the server. You can skip this and some other steps if you decide to create your own key pair when you start your server on Amazon.
We will create SSH keys using ssh-keygen.
As a result, we get two files: id_rsa and id_rsa.pub (private and public keys). Never give your private key to anyone.
You can find detailed instructions on how to create keys here.
Importing a public key to Amazon
We import the newly created public key into the Amazon platform.
We create our virtual machine
Let's install an Ubuntu virtual machine on Amazon EC2. The setting is described in detail here:
We connect to the new server
We are accessing the virtual machine via SSH.
We write in the terminal:
Give access to a new user
Let's create a new user account named “wizard”:
Give wizard permission to execute sudo. Let's open the file:
And let's set the content:
Let's create directories:
Copy the public key (PATH-TO-PUBLIC-KEY) and paste it into the remote instance /home/wizard/.ssh/authorized_keys. Let's configure the permissions:
We provide security
We update all installed packages.
Change the SSH port from 22 to 2201. To configure the firewall (ufw, Uncomplicated Firewall, simple firewall), open the / etc / ssh / sshd_config file:
and change this data:
Restart the SSH service:
We configure the Uncomplicated Firewall (UFW) so that only incoming SSH (port 2201), HTTP (port 80) and NTP (port 123) connections are allowed.
Configuring the server clock
Set it as the local time zone UTC:
Select the 'None of the Above' option and UTC again.
Disconnect and add our key to the SSH agent
To disable, enter:
and then add the key.
Adding port permissions to Amazon
This must be done at Amazon. Let's set the SSH port, which we will also use on Amazon.
We connect with new data
Now you can connect to the server on the new port as a new user:
You now have a server ready to serve your application.
Thanks for attention!
We'll use Amazon EC2 to run the tests, but you can also use Amazon LightSail, Digital Ocean, Vultr, or another service. They are all configurable in the same way, so choose the one you like.
Create public and private SSH keys
First, let's create a pair of keys that some hosts will need when installing the server. You can skip this and some other steps if you decide to create your own key pair when you start your server on Amazon.
We will create SSH keys using ssh-keygen.
Code:
$ ssh-keygen -t rsa -b 4096
As a result, we get two files: id_rsa and id_rsa.pub (private and public keys). Never give your private key to anyone.
You can find detailed instructions on how to create keys here.
Importing a public key to Amazon
We import the newly created public key into the Amazon platform.
- We go to the Amazon management console.
- Click AWS services → Compute> EC2
- Click on the left menu Network & Security → Key Pairs
- Click "Import Key Pair" and load the public key (id_rsa.pub)
We create our virtual machine
Let's install an Ubuntu virtual machine on Amazon EC2. The setting is described in detail here:
- We go to the Amazon management console.
- Click AWS services → Compute → EC2
- Select the instance to launch.
- We choose one of the images. In our case, it will be Ubuntu Server 16.04 LTS (HVM), with an SSD drive (but you can choose whichever suits you best).
- We select a virtual machine (according to your needs). Click on "Review" and "Launch".
- Open a new tab and import the created public key into Amazon.
- Here we are asked to “Select an existing key pair or create a new key pair”. Click "Choose an existing key pair". We select the previously downloaded key.
- Click on "Launch Instances".
- Click on the link of the virtual machine that we just created.
We connect to the new server
We are accessing the virtual machine via SSH.
We write in the terminal:
Code:
$ ssh <USER> @ <IP-ADDRESS> -p 22 -i <PATH-TO-PRIVATE-KEY>
- <USЕR>: Linux system user. For Amazon use ubuntu, for other services use root
- <IP-ADDRЕSS>: The IP address of the virtual machine we created. This is the "Public DNS (IPv4)" field in the "Description" tab of our server.
- <PATH-TO-PRIVATЕ-KEY>: full path to the previously generated private key (for example, /Users/flavio/.ssh/id_rsa).
- -i <PATH-TO-PRIVATЕ-KEY>: This can be skipped if you added the key to your SSH agent.
Give access to a new user
Let's create a new user account named “wizard”:
Code:
$ sudo adduser wizard
Give wizard permission to execute sudo. Let's open the file:
Code:
$ sudo nano /etc/sudoers.d/wizard
And let's set the content:
Code:
wizard ALL = (ALL) NOPASSWD: ALL
Let's create directories:
Code:
$ mkdir /home/wizard/.ssh
# create authorized_keys file and copy your public key here
$ nano /home/wizard/.ssh/authorized_keys
$ chown wizard /home/wizard/.ssh
$ chown wizard /home/wizard/.ssh/authorized_keys
Copy the public key (PATH-TO-PUBLIC-KEY) and paste it into the remote instance /home/wizard/.ssh/authorized_keys. Let's configure the permissions:
Code:
$ chmod 700 /home/wizard/.ssh
$ chmod 600 /home/wizard/.ssh/authorized_keys
We provide security
We update all installed packages.
Code:
$ sudo apt-get update
$ sudo apt-get upgrade
Change the SSH port from 22 to 2201. To configure the firewall (ufw, Uncomplicated Firewall, simple firewall), open the / etc / ssh / sshd_config file:
Code:
$ sudo nano / etc / ssh / sshd_config
and change this data:
Code:
Port 2201
PermitRootLogin no
PasswordAuthentication no
# add this to avoid problem with multiple sshd processes
ClientAliveInterval 600
ClientAliveCountMax 3
Restart the SSH service:
Code:
$ sudo service ssh restart
We configure the Uncomplicated Firewall (UFW) so that only incoming SSH (port 2201), HTTP (port 80) and NTP (port 123) connections are allowed.
Code:
# close all incoming ports
$ sudo ufw default deny incoming
# open all outgoing ports
$ sudo ufw default allow outgoing
# open ssh port
$ sudo ufw allow 2201 / tcp
# open http port
$ sudo ufw allow 80 / tcp
# open ntp port: to sync the clock of your machine
$ sudo ufw allow 123 / udp
# turn on firewall
$ sudo ufw enable
Configuring the server clock
Set it as the local time zone UTC:
Code:
$ sudo dpkg-reconfigure tzdata
Select the 'None of the Above' option and UTC again.
Disconnect and add our key to the SSH agent
To disable, enter:
Code:
$ exit
and then add the key.
Adding port permissions to Amazon
This must be done at Amazon. Let's set the SSH port, which we will also use on Amazon.
- We go to the Amazon management console.
- Click AWS services> Compute> EC2
- Click on the left menu Network & Security → Security Groups
- We select a security group related to our virtual machine.
- Click Action> Edit Inbound Rules
- Click "Add Rule" and set: Type: Custom TCP, Port Range: 2201, Source: 0.0.0.0/0 and Description: SSH
We connect with new data
Now you can connect to the server on the new port as a new user:
Code:
$ ssh wizard @ <IP-ADDRESS> -p 2201 -i <PATH-TO-PRIVATE-KEY>
You now have a server ready to serve your application.
Thanks for attention!