Server creation

[Mutt]

In this guide, we'll go over some of the best practices for creating your first secure server. We will analyze the whole process step by step, and as a result, we will get a server that is completely ready to use in production for your application. Of course, this is not a comprehensive guide. A secure server is a constant search for new resources and endless improvements. But with this material, you can start building your own infrastructure.

We'll use Amazon EC2 to run the tests, but you can also use Amazon LightSail, Digital Ocean, Vultr, or another service. They are all configurable in the same way, so choose the one you like.

Create public and private SSH keys
First, let's create a pair of keys that some hosts will need when installing the server. You can skip this and some other steps if you decide to create your own key pair when you start your server on Amazon.

We will create SSH keys using ssh-keygen.

$ ssh-keygen -t rsa -b 4096

As a result, we get two files: id_rsa and id_rsa.pub (private and public keys). Never give your private key to anyone.

You can find detailed instructions on how to create keys here.

Importing a public key to Amazon
We import the newly created public key into the Amazon platform.

1. We go to the Amazon management console.
2. Click AWS services → Compute> EC2
3. Click on the left menu Network & Security → Key Pairs
4. Click "Import Key Pair" and load the public key (id_rsa.pub)

We create our virtual machine
Let's install an Ubuntu virtual machine on Amazon EC2. The setting is described in detail here:

1. We go to the Amazon management console.
2. Click AWS services → Compute → EC2
3. Select the instance to launch.
4. We choose one of the images. In our case, it will be Ubuntu Server 16.04 LTS (HVM), with an SSD drive (but you can choose whichever suits you best).
5. We select a virtual machine (according to your needs). Click on "Review" and "Launch".
6. Open a new tab and import the created public key into Amazon.
7. Here we are asked to “Select an existing key pair or create a new key pair”. Click "Choose an existing key pair". We select the previously downloaded key.
8. Click on "Launch Instances".
9. Click on the link of the virtual machine that we just created.

Note: Some of the following steps can be configured from the Amazon home screen. But since this is a general guide that can be used for other services, let's talk about the default configurations.

We connect to the new server
We are accessing the virtual machine via SSH.

We write in the terminal:

$ ssh <USER> @ <IP-ADDRESS> -p 22 -i <PATH-TO-PRIVATE-KEY>

• <USЕR>: Linux system user. For Amazon use ubuntu, for other services use root
• <IP-ADDRЕSS>: The IP address of the virtual machine we created. This is the "Public DNS (IPv4)" field in the "Description" tab of our server.
• <PATH-TO-PRIVATЕ-KEY>: full path to the previously generated private key (for example, /Users/flavio/.ssh/id_rsa).
• -i <PATH-TO-PRIVATЕ-KEY>: This can be skipped if you added the key to your SSH agent.

Give access to a new user
Let's create a new user account named “wizard”:

$ sudo adduser wizard

Give wizard permission to execute sudo. Let's open the file:

$ sudo nano /etc/sudoers.d/wizard

And let's set the content:

wizard ALL = (ALL) NOPASSWD: ALL

Let's create directories:

$ mkdir /home/wizard/.ssh
# create authorized_keys file and copy your public key here
$ nano /home/wizard/.ssh/authorized_keys
$ chown wizard /home/wizard/.ssh
$ chown wizard /home/wizard/.ssh/authorized_keys

Copy the public key (PATH-TO-PUBLIC-KEY) and paste it into the remote instance /home/wizard/.ssh/authorized_keys. Let's configure the permissions:

$ chmod 700 /home/wizard/.ssh
$ chmod 600 /home/wizard/.ssh/authorized_keys

We provide security
We update all installed packages.

$ sudo apt-get update
$ sudo apt-get upgrade

Change the SSH port from 22 to 2201. To configure the firewall (ufw, Uncomplicated Firewall, simple firewall), open the / etc / ssh / sshd_config file:

$ sudo nano / etc / ssh / sshd_config

and change this data:

Port 2201
PermitRootLogin no
PasswordAuthentication no
# add this to avoid problem with multiple sshd processes
ClientAliveInterval 600
ClientAliveCountMax 3

Restart the SSH service:

$ sudo service ssh restart

We configure the Uncomplicated Firewall (UFW) so that only incoming SSH (port 2201), HTTP (port 80) and NTP (port 123) connections are allowed.

# close all incoming ports
$ sudo ufw default deny incoming
# open all outgoing ports
$ sudo ufw default allow outgoing
# open ssh port
$ sudo ufw allow 2201 / tcp
# open http port
$ sudo ufw allow 80 / tcp
# open ntp port: to sync the clock of your machine
$ sudo ufw allow 123 / udp
# turn on firewall
$ sudo ufw enable

Configuring the server clock
Set it as the local time zone UTC:

$ sudo dpkg-reconfigure tzdata

Select the 'None of the Above' option and UTC again.

Disconnect and add our key to the SSH agent
To disable, enter:

$ exit

and then add the key.

Adding port permissions to Amazon
This must be done at Amazon. Let's set the SSH port, which we will also use on Amazon.

1. We go to the Amazon management console.
2. Click AWS services> Compute> EC2
3. Click on the left menu Network & Security → Security Groups
4. We select a security group related to our virtual machine.
5. Click Action> Edit Inbound Rules
6. Click "Add Rule" and set: Type: Custom TCP, Port Range: 2201, Source: 0.0.0.0/0 and Description: SSH

We connect with new data
Now you can connect to the server on the new port as a new user:

$ ssh wizard @ <IP-ADDRESS> -p 2201 -i <PATH-TO-PRIVATE-KEY>

You now have a server ready to serve your application.

Thanks for attention!