Creating And Configuring A Remote Server

From Nick's Personal Wiki
Jump to navigation Jump to search

This page should assist with connecting to the server remotely for the first time, initial configuration, and basic hardening of the server to secure it well enough for basic remote use. The actual process of creating a remote instance varies based on the cloud provider being used and is not covered here, but it is generally pretty simple to do following the documentation of the provider chosen.


Connecting To A Created Server

Using SSH

Connect to the server via SSH using the below standard format, port number (if available), and the root credentials that were created when the server was created (if available): 

ssh root@A.B.C.D:E

Where A.B.C.D is the IPv4 address of your server and E is the port number (if available).


Perform Any Available System Updates

There are likely several updates that need to be performed to bring the system up to date upon creation, use the below:

Ubuntu/Debian

apt update && upgrade

CentOS/RHEL/Fedora

 dnf upgrade


Setting Timezone

New servers are set to UTC by default, use the below to change the timezone to local time if desired.

List the available timezones: 

timedatectl list-timezones

Set the desired timezone: 

timedatectl set-timezone 'TIMEZONE_NAME_FROM_LIST'

Verify timezone has been set: 

 date


Setting A Custom Hostname

Setting a hostname can be done using the below: 

hostnamectl set-hostname CUSTOM_HOSTNAME

Try to create something specific, relevant, and memorable.

i.e.

web-01-prod

wiki-01-staging


The terminal may not update right away, and you may need to log out and back in to see the changes reflected.

You can also use the 'hostname' command to see the currently configured hostname without logging out and back in. 

hostname


Creating Non-Root Users

It's not advisable to use the unlimited access of the root account at all times, and the root account should not be permitted to access the server remotely. Create a limited-user account for the day-to-day tasks that will be performed instead using the below:


Ubuntu/Debian

Create the user: 

adduser EXAMPLE_USERNAME

Grant the user sudo privileges: 

adduser EXAMPLE_USERNAME sudo

CentOS/RHEL/Fedora

Create the user and set a password for that user: 

useradd EXAMPLE_USER && passwd EXAMPLE_USER

Grant the user sudo privileges: 

usermod -aG wheel EXAMPLE_USER


Logging In As The New User

Use the exit command to log out of the server, and repeat the steps from 'Connecting To A Created Server' using the credentials for the new user: 

ssh EXAMPLE_USER@A.B.C.D:E

Followed by entering the password set for this user.


Securing SSH Access

Password-less Authentication Using An SSH Key

Existing SSH Key

Within the SSH directory on the local machine, not the remote server machine, locate the existing SSH public key. Typically this is located in: 

/home/EXAMPLE_USER/.ssh/

SSH Keys are created in pairs, the public key will have the '.pub' extension and the private key will have no extension.

The default names will be id_rsa & id_rsa.pub.


Creating An SSH Key Pair

Use one of the below commands to create a new SSH key pair for use with the server:

Basic key creation with no additional options, press 'enter' at each prompt to use the default options: 

ssh-keygen

More advanced key creation with selectable encryption choice and comment for ease of identification later: 

ssh-keygen -t [ENCRYPTION_OPTION] -C "IDENTIFYING NAME/EMAIL"

My recommended encryption algorithm is the EdDSA for best security for length of the key: 

ssh-keygen -t ed25519 -C "IDENTIFYING NAME/EMAIL"

Uploading SSH Key To Remote Server

Use the below command to 'push' the public key to the server: 

ssh-copy-id EXAMPLE_USER@A.B.C.D:E

Log into the server and there should be no prompt for a password if done correctly, unless there was a passphrase configured for the SSH key pair when being created.


Proper SSH File Permissions

Use the below command on the remote server to set custom permissions on the below directory/file, restricting access for editing and modifying those files. 

/home/EXAMPLE_USER/.ssh/ directory 
and 
/home/EXAMPLE_USER/.ssh/authorized_keys file

 sudo chmod -R 700 /home/EXAMPLE_USER/.ssh && chmod 600 /home/EXAMPLE_USER/.ssh/authorized_keys

SSH Config File Edits

The below will disable root login from remote computers, globally disable password authentication when accessed remotely, and other SSH config file changes: 

sudo nano /etc/ssh/sshd_config

Locate and set 'PermitRootLogin' to 'no' to disable remote root access.
Locate and set 'PasswordAuthentication' to 'no' to prevent remote password authentication on all users.
Locate and set 'AddressFamily' to 'inet'(IPv4), 'inet6'(IPv6), or comment it out with # for both.

Additionally, the below changes (performed on the LOCAL machine) can be used to make connecting to the remote host simpler: 

sudo nano /home/EXAMPLE_USER/.ssh/config
(This file can be created if it does not yet exist)

Host    SERVER_ALIAS
        HostName A.B.D.C
        User EXAMPLE_USER
        Port E
        IdentityFile /PATH/TO/'''PRIVATE'''/SSH/KEY, probably /home/EXAMPLE_USER/.ssh/id_rsa

Repeat for any additional remote servers that need to be accessed this way.

Then the below command can be used to access the remote host more easily: 

ssh SERVER_ALIAS

instead of: 

ssh EXAMPLE_USER@A.B.C.D:E

Use the below command to restart the SSH service for the changes to take effect: 

sudo systemctl restart sshd


Add Required Repositories

For RHEL systems, install the EPEL (Extra Packages for Enterprise Linux) repository: 

sudo dnf update
sudo dnf install epel-release

This includes helpful packages like tldr and vim that will now be available to install.


Configuring Automatic Updates

CentOS/RHEL/Fedora

This can be achieved via the 'dnf-automatic' package: 

sudo dnf install dnf-automatic

In the 'etc/dnf/automatic.conf' file, upgrade_type can be set to either 'default' or 'security' for all upgrades or strictly security upgrades. 

upgrade_type = security

In the same '/etc/dnf/automatic.conf' file, set the following options to download updates and apply updates as soon as they're available: 

download_updates = yes
apply_updates = yes

Start and enable the service: 

sudo systemctl enable --now dnf-automatic.timer

Check the status and timers of dnf-automatic: 

sudo systemctl list-timers *dnf-*

The timer can be edited by making changes to the file located: 

/etc/systemd/system/timers.target.wants/dnf-automatic.timer

Next Steps

Next steps for configuring this server might be some of the following:

Retrieved from "https://nlear.xyz/wiki/index.php?title=Creating_And_Configuring_A_Remote_Server&oldid=226"