Difference between revisions of "Creating And Configuring A Remote Server"
m (→Using SSH) |
(→Creating An SSH Key Pair: -- adding blurb about ed25519 encryption for ssh-keygen) |
||
| (31 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | This page should assist with connecting to the server remotely for the first time, initial configuration, and basic hardening of the server to secure it well enough for basic remote use. '''The actual process of creating a remote instance varies based on the cloud provider being used and is not covered here, but it is generally pretty simple to do following the documentation of the provider chosen.''' | ||
| + | |||
| + | |||
== Connecting To A Created Server == | == Connecting To A Created Server == | ||
| Line 7: | Line 10: | ||
Where A.B.C.D is the IPv4 address of your server and E is the port number (if available).</nowiki> | Where A.B.C.D is the IPv4 address of your server and E is the port number (if available).</nowiki> | ||
| + | |||
| + | |||
== Perform Any Available System Updates == | == Perform Any Available System Updates == | ||
There are likely several updates that need to be performed to bring the system up to date upon creation, use the below: | There are likely several updates that need to be performed to bring the system up to date upon creation, use the below: | ||
| − | === Ubuntu/Debian === | + | ==== Ubuntu/Debian ==== |
<nowiki>apt update && upgrade</nowiki> | <nowiki>apt update && upgrade</nowiki> | ||
| − | === CentOS/RHEL/Fedora === | + | ==== CentOS/RHEL/Fedora ==== |
<nowiki> dnf upgrade</nowiki> | <nowiki> dnf upgrade</nowiki> | ||
| + | |||
| Line 31: | Line 37: | ||
| − | == Custom Hostname == | + | |
| + | == Setting A Custom Hostname == | ||
Setting a hostname can be done using the below: | Setting a hostname can be done using the below: | ||
<nowiki>hostnamectl set-hostname CUSTOM_HOSTNAME</nowiki> | <nowiki>hostnamectl set-hostname CUSTOM_HOSTNAME</nowiki> | ||
Try to create something specific, relevant, and memorable. | Try to create something specific, relevant, and memorable. | ||
| + | |||
i.e. | i.e. | ||
| + | |||
web-01-prod | web-01-prod | ||
| + | |||
wiki-01-staging | wiki-01-staging | ||
| + | |||
The terminal may not update right away, and you may need to log out and back in to see the changes reflected. | The terminal may not update right away, and you may need to log out and back in to see the changes reflected. | ||
| − | + | ||
| + | You can also use the 'hostname' command to see the currently configured hostname without logging out and back in. | ||
| + | <nowiki>hostname</nowiki> | ||
| + | |||
| + | |||
== Creating Non-Root Users == | == Creating Non-Root Users == | ||
It's not advisable to use the unlimited access of the root account at all times, and the root account should not be permitted to access the server remotely. Create a limited-user account for the day-to-day tasks that will be performed instead using the below: | It's not advisable to use the unlimited access of the root account at all times, and the root account should not be permitted to access the server remotely. Create a limited-user account for the day-to-day tasks that will be performed instead using the below: | ||
| − | === Ubuntu/Debian === | + | |
| + | ==== Ubuntu/Debian ==== | ||
Create the user: | Create the user: | ||
<nowiki>adduser EXAMPLE_USERNAME</nowiki> | <nowiki>adduser EXAMPLE_USERNAME</nowiki> | ||
| Line 53: | Line 69: | ||
<nowiki>adduser EXAMPLE_USERNAME sudo</nowiki> | <nowiki>adduser EXAMPLE_USERNAME sudo</nowiki> | ||
| − | === CentOS/RHEL/Fedora === | + | ==== CentOS/RHEL/Fedora ==== |
Create the user and set a password for that user: | Create the user and set a password for that user: | ||
<nowiki>useradd EXAMPLE_USER && passwd EXAMPLE_USER</nowiki> | <nowiki>useradd EXAMPLE_USER && passwd EXAMPLE_USER</nowiki> | ||
| Line 59: | Line 75: | ||
Grant the user sudo privileges: | Grant the user sudo privileges: | ||
<nowiki>usermod -aG wheel EXAMPLE_USER</nowiki> | <nowiki>usermod -aG wheel EXAMPLE_USER</nowiki> | ||
| + | |||
=== Logging In As The New User === | === Logging In As The New User === | ||
| Line 64: | Line 81: | ||
<nowiki>ssh EXAMPLE_USER@A.B.C.D:E</nowiki> | <nowiki>ssh EXAMPLE_USER@A.B.C.D:E</nowiki> | ||
Followed by entering the password set for this user. | Followed by entering the password set for this user. | ||
| + | |||
| + | |||
| + | |||
| + | == Securing SSH Access == | ||
| + | |||
| + | |||
| + | === Password-less Authentication Using An SSH Key=== | ||
| + | |||
| + | |||
| + | ==== Existing SSH Key ==== | ||
| + | Within the SSH directory on the local machine, not the remote server machine, locate the existing SSH public key. Typically this is located in: | ||
| + | <nowiki>/home/EXAMPLE_USER/.ssh/</nowiki> | ||
| + | |||
| + | SSH Keys are created in pairs, the public key will have the '.pub' extension and the private key will have no extension. | ||
| + | |||
| + | The default names will be id_rsa & id_rsa.pub. | ||
| + | |||
| + | |||
| + | ==== Creating An SSH Key Pair ==== | ||
| + | Use one of the below commands to create a new SSH key pair for use with the server: | ||
| + | |||
| + | Basic key creation with no additional options, press 'enter' at each prompt to use the default options: | ||
| + | <nowiki>ssh-keygen</nowiki> | ||
| + | |||
| + | More advanced key creation with selectable encryption choice and comment for ease of identification later: | ||
| + | <nowiki>ssh-keygen -t [ENCRYPTION_OPTION] -C "IDENTIFYING NAME/EMAIL"</nowiki> | ||
| + | |||
| + | My recommended encryption algorithm is the EdDSA for best security for length of the key: | ||
| + | <nowiki>ssh-keygen -t ed25519 -C "IDENTIFYING NAME/EMAIL"</nowiki> | ||
| + | |||
| + | ==== Uploading SSH Key To Remote Server ==== | ||
| + | Use the below command to 'push' the public key to the server: | ||
| + | <nowiki>ssh-copy-id EXAMPLE_USER@A.B.C.D:E</nowiki> | ||
| + | |||
| + | Log into the server and there should be no prompt for a password if done correctly, unless there was a passphrase configured for the SSH key pair when being created. | ||
| + | |||
| + | |||
| + | ===== Proper SSH File Permissions ===== | ||
| + | Use the below command on the remote server to set custom permissions on the below directory/file, restricting access for editing and modifying those files. | ||
| + | |||
| + | <nowiki>/home/EXAMPLE_USER/.ssh/ directory | ||
| + | and | ||
| + | /home/EXAMPLE_USER/.ssh/authorized_keys file</nowiki> | ||
| + | |||
| + | <nowiki> sudo chmod -R 700 /home/EXAMPLE_USER/.ssh && chmod 600 /home/EXAMPLE_USER/.ssh/authorized_keys</nowiki> | ||
| + | |||
| + | === SSH Config File Edits === | ||
| + | The below will disable root login from remote computers, globally disable password authentication when accessed remotely, and other SSH config file changes: | ||
| + | |||
| + | <nowiki>sudo nano /etc/ssh/sshd_config | ||
| + | |||
| + | Locate and set 'PermitRootLogin' to 'no' to disable remote root access. | ||
| + | Locate and set 'PasswordAuthentication' to 'no' to prevent remote password authentication on all users. | ||
| + | Locate and set 'AddressFamily' to 'inet'(IPv4), 'inet6'(IPv6), or comment it out with # for both.</nowiki> | ||
| + | |||
| + | Additionally, the below changes (performed on the LOCAL machine) can be used to make connecting to the remote host simpler: | ||
| + | |||
| + | <nowiki>sudo nano /home/EXAMPLE_USER/.ssh/config | ||
| + | (This file can be created if it does not yet exist) | ||
| + | |||
| + | Host SERVER_ALIAS | ||
| + | HostName A.B.D.C | ||
| + | User EXAMPLE_USER | ||
| + | Port E | ||
| + | IdentityFile /PATH/TO/'''PRIVATE'''/SSH/KEY, probably /home/EXAMPLE_USER/.ssh/id_rsa</nowiki> | ||
| + | |||
| + | Repeat for any additional remote servers that need to be accessed this way. | ||
| + | |||
| + | Then the below command can be used to access the remote host more easily: | ||
| + | <nowiki>ssh SERVER_ALIAS</nowiki> | ||
| + | |||
| + | instead of: | ||
| + | <nowiki>ssh EXAMPLE_USER@A.B.C.D:E</nowiki> | ||
| + | |||
| + | Use the below command to restart the SSH service for the changes to take effect: | ||
| + | <nowiki>sudo systemctl restart sshd</nowiki> | ||
| + | |||
| + | |||
| + | |||
| + | == Add Required Repositories == | ||
| + | For RHEL systems, install the ''EPEL (Extra Packages for Enterprise Linux)'' repository: | ||
| + | |||
| + | <nowiki>sudo dnf update | ||
| + | sudo dnf install epel-release </nowiki> | ||
| + | |||
| + | This includes helpful packages like tldr and vim that will now be available to install. | ||
| + | |||
| + | |||
| + | == Configuring Automatic Updates == | ||
| + | ==== CentOS/RHEL/Fedora ==== | ||
| + | This can be achieved via the 'dnf-automatic' package: | ||
| + | <nowiki>sudo dnf install dnf-automatic</nowiki> | ||
| + | |||
| + | In the 'etc/dnf/automatic.conf' file, upgrade_type can be set to either 'default' or 'security' for all upgrades or strictly security upgrades. | ||
| + | <nowiki>upgrade_type = security</nowiki> | ||
| + | |||
| + | In the same '/etc/dnf/automatic.conf' file, set the following options to download updates and apply updates as soon as they're available: | ||
| + | <nowiki>download_updates = yes | ||
| + | apply_updates = yes</nowiki> | ||
| + | |||
| + | Start and enable the service: | ||
| + | <nowiki>sudo systemctl enable --now dnf-automatic.timer</nowiki> | ||
| + | |||
| + | Check the status and timers of dnf-automatic: | ||
| + | <nowiki>sudo systemctl list-timers *dnf-*</nowiki> | ||
| + | |||
| + | The timer can be edited by making changes to the file located: | ||
| + | <nowiki>/etc/systemd/system/timers.target.wants/dnf-automatic.timer</nowiki> | ||
| + | |||
| + | == Next Steps == | ||
| + | Next steps for configuring this server might be some of the following: | ||
| + | |||
| + | * Configuring a [[Firewalld|firewall (Firewalld)]] to control network traffic | ||
| + | * [[Ansible Basics|Ansible]] to automate configuration of additional hosts/services | ||
| + | * [[Fail2Ban]] to prevent spam/malicious activity | ||
| + | * Hosting your own [[Creating_And_Configuring_MediaWiki|Wiki Project]] | ||
| + | * Hosting a cloud storage solution with [[Creating_And_Configuring_OwnCloud_(Self-hosted_Cloud_Storage)|OwnCloud]] | ||
| + | * Donating your host to the Tor Project with a [[Creating_And_Configuring_TOR_Nodes|Tor Node]] | ||
| + | * Creating a [[Git_Fundamentals|Git Repo]] to publish your projects from | ||
| + | * Creating a [[Reverse_Proxy_(Nginx)|Reverse Proxy]] for future hosts to stand behind | ||
Latest revision as of 12:54, 27 March 2026
This page should assist with connecting to the server remotely for the first time, initial configuration, and basic hardening of the server to secure it well enough for basic remote use. The actual process of creating a remote instance varies based on the cloud provider being used and is not covered here, but it is generally pretty simple to do following the documentation of the provider chosen.
Connecting To A Created Server
Using SSH
Connect to the server via SSH using the below standard format, port number (if available), and the root credentials that were created when the server was created (if available):
ssh root@A.B.C.D:E Where A.B.C.D is the IPv4 address of your server and E is the port number (if available).
Perform Any Available System Updates
There are likely several updates that need to be performed to bring the system up to date upon creation, use the below:
Ubuntu/Debian
apt update && upgrade
CentOS/RHEL/Fedora
dnf upgrade
Setting Timezone
New servers are set to UTC by default, use the below to change the timezone to local time if desired.
List the available timezones:
timedatectl list-timezones
Set the desired timezone:
timedatectl set-timezone 'TIMEZONE_NAME_FROM_LIST'
Verify timezone has been set:
date
Setting A Custom Hostname
Setting a hostname can be done using the below:
hostnamectl set-hostname CUSTOM_HOSTNAME
Try to create something specific, relevant, and memorable.
i.e.
web-01-prod
wiki-01-staging
The terminal may not update right away, and you may need to log out and back in to see the changes reflected.
You can also use the 'hostname' command to see the currently configured hostname without logging out and back in.
hostname
Creating Non-Root Users
It's not advisable to use the unlimited access of the root account at all times, and the root account should not be permitted to access the server remotely. Create a limited-user account for the day-to-day tasks that will be performed instead using the below:
Ubuntu/Debian
Create the user:
adduser EXAMPLE_USERNAME
Grant the user sudo privileges:
adduser EXAMPLE_USERNAME sudo
CentOS/RHEL/Fedora
Create the user and set a password for that user:
useradd EXAMPLE_USER && passwd EXAMPLE_USER
Grant the user sudo privileges:
usermod -aG wheel EXAMPLE_USER
Logging In As The New User
Use the exit command to log out of the server, and repeat the steps from 'Connecting To A Created Server' using the credentials for the new user:
ssh EXAMPLE_USER@A.B.C.D:E
Followed by entering the password set for this user.
Securing SSH Access
Password-less Authentication Using An SSH Key
Existing SSH Key
Within the SSH directory on the local machine, not the remote server machine, locate the existing SSH public key. Typically this is located in:
/home/EXAMPLE_USER/.ssh/
SSH Keys are created in pairs, the public key will have the '.pub' extension and the private key will have no extension.
The default names will be id_rsa & id_rsa.pub.
Creating An SSH Key Pair
Use one of the below commands to create a new SSH key pair for use with the server:
Basic key creation with no additional options, press 'enter' at each prompt to use the default options:
ssh-keygen
More advanced key creation with selectable encryption choice and comment for ease of identification later:
ssh-keygen -t [ENCRYPTION_OPTION] -C "IDENTIFYING NAME/EMAIL"
My recommended encryption algorithm is the EdDSA for best security for length of the key:
ssh-keygen -t ed25519 -C "IDENTIFYING NAME/EMAIL"
Uploading SSH Key To Remote Server
Use the below command to 'push' the public key to the server:
ssh-copy-id EXAMPLE_USER@A.B.C.D:E
Log into the server and there should be no prompt for a password if done correctly, unless there was a passphrase configured for the SSH key pair when being created.
Proper SSH File Permissions
Use the below command on the remote server to set custom permissions on the below directory/file, restricting access for editing and modifying those files.
/home/EXAMPLE_USER/.ssh/ directory and /home/EXAMPLE_USER/.ssh/authorized_keys file
sudo chmod -R 700 /home/EXAMPLE_USER/.ssh && chmod 600 /home/EXAMPLE_USER/.ssh/authorized_keys
SSH Config File Edits
The below will disable root login from remote computers, globally disable password authentication when accessed remotely, and other SSH config file changes:
sudo nano /etc/ssh/sshd_config Locate and set 'PermitRootLogin' to 'no' to disable remote root access. Locate and set 'PasswordAuthentication' to 'no' to prevent remote password authentication on all users. Locate and set 'AddressFamily' to 'inet'(IPv4), 'inet6'(IPv6), or comment it out with # for both.
Additionally, the below changes (performed on the LOCAL machine) can be used to make connecting to the remote host simpler:
sudo nano /home/EXAMPLE_USER/.ssh/config
(This file can be created if it does not yet exist)
Host SERVER_ALIAS
HostName A.B.D.C
User EXAMPLE_USER
Port E
IdentityFile /PATH/TO/'''PRIVATE'''/SSH/KEY, probably /home/EXAMPLE_USER/.ssh/id_rsa
Repeat for any additional remote servers that need to be accessed this way.
Then the below command can be used to access the remote host more easily:
ssh SERVER_ALIAS
instead of:
ssh EXAMPLE_USER@A.B.C.D:E
Use the below command to restart the SSH service for the changes to take effect:
sudo systemctl restart sshd
Add Required Repositories
For RHEL systems, install the EPEL (Extra Packages for Enterprise Linux) repository:
sudo dnf update sudo dnf install epel-release
This includes helpful packages like tldr and vim that will now be available to install.
Configuring Automatic Updates
CentOS/RHEL/Fedora
This can be achieved via the 'dnf-automatic' package:
sudo dnf install dnf-automatic
In the 'etc/dnf/automatic.conf' file, upgrade_type can be set to either 'default' or 'security' for all upgrades or strictly security upgrades.
upgrade_type = security
In the same '/etc/dnf/automatic.conf' file, set the following options to download updates and apply updates as soon as they're available:
download_updates = yes apply_updates = yes
Start and enable the service:
sudo systemctl enable --now dnf-automatic.timer
Check the status and timers of dnf-automatic:
sudo systemctl list-timers *dnf-*
The timer can be edited by making changes to the file located:
/etc/systemd/system/timers.target.wants/dnf-automatic.timer
Next Steps
Next steps for configuring this server might be some of the following:
- Configuring a firewall (Firewalld) to control network traffic
- Ansible to automate configuration of additional hosts/services
- Fail2Ban to prevent spam/malicious activity
- Hosting your own Wiki Project
- Hosting a cloud storage solution with OwnCloud
- Donating your host to the Tor Project with a Tor Node
- Creating a Git Repo to publish your projects from
- Creating a Reverse Proxy for future hosts to stand behind