Difference between revisions of "Creating And Configuring A Remote Server"
| Line 10: | Line 10: | ||
Where A.B.C.D is the IPv4 address of your server and E is the port number (if available).</nowiki> | Where A.B.C.D is the IPv4 address of your server and E is the port number (if available).</nowiki> | ||
| + | |||
| Line 20: | Line 21: | ||
==== CentOS/RHEL/Fedora ==== | ==== CentOS/RHEL/Fedora ==== | ||
<nowiki> dnf upgrade</nowiki> | <nowiki> dnf upgrade</nowiki> | ||
| + | |||
| Line 33: | Line 35: | ||
Verify timezone has been set: | Verify timezone has been set: | ||
<nowiki> date</nowiki> | <nowiki> date</nowiki> | ||
| + | |||
| Line 52: | Line 55: | ||
You can also use the 'hostname' command to see the currently configured hostname without logging out and back in. | You can also use the 'hostname' command to see the currently configured hostname without logging out and back in. | ||
<nowiki>hostname</nowiki> | <nowiki>hostname</nowiki> | ||
| + | |||
| + | |||
== Creating Non-Root Users == | == Creating Non-Root Users == | ||
It's not advisable to use the unlimited access of the root account at all times, and the root account should not be permitted to access the server remotely. Create a limited-user account for the day-to-day tasks that will be performed instead using the below: | It's not advisable to use the unlimited access of the root account at all times, and the root account should not be permitted to access the server remotely. Create a limited-user account for the day-to-day tasks that will be performed instead using the below: | ||
| − | |||
==== Ubuntu/Debian ==== | ==== Ubuntu/Debian ==== | ||
| Line 70: | Line 74: | ||
Grant the user sudo privileges: | Grant the user sudo privileges: | ||
<nowiki>usermod -aG wheel EXAMPLE_USER</nowiki> | <nowiki>usermod -aG wheel EXAMPLE_USER</nowiki> | ||
| − | |||
=== Logging In As The New User === | === Logging In As The New User === | ||
| Line 76: | Line 79: | ||
<nowiki>ssh EXAMPLE_USER@A.B.C.D:E</nowiki> | <nowiki>ssh EXAMPLE_USER@A.B.C.D:E</nowiki> | ||
Followed by entering the password set for this user. | Followed by entering the password set for this user. | ||
| + | |||
== Securing SSH Access == | == Securing SSH Access == | ||
| − | |||
=== Password-less Authentication Using An SSH Key=== | === Password-less Authentication Using An SSH Key=== | ||
| Line 90: | Line 93: | ||
The default names will be id_rsa & id_rsa.pub. | The default names will be id_rsa & id_rsa.pub. | ||
| − | |||
==== Creating An SSH Key Pair ==== | ==== Creating An SSH Key Pair ==== | ||
| Line 100: | Line 102: | ||
More advanced key creation with selectable encryption choice and comment for ease of identification later: | More advanced key creation with selectable encryption choice and comment for ease of identification later: | ||
<nowiki>ssh-keygen -t [ENCRYPTION_OPTION] -C "IDENTIFYING NAME/EMAIL"</nowiki> | <nowiki>ssh-keygen -t [ENCRYPTION_OPTION] -C "IDENTIFYING NAME/EMAIL"</nowiki> | ||
| − | |||
==== Uploading SSH Key To Remote Server ==== | ==== Uploading SSH Key To Remote Server ==== | ||
| Line 107: | Line 108: | ||
Log into the server and there should be no prompt for a password if done correctly, unless there was a passphrase configured for the SSH key pair when being created. | Log into the server and there should be no prompt for a password if done correctly, unless there was a passphrase configured for the SSH key pair when being created. | ||
| − | |||
===== Proper SSH File Permissions ===== | ===== Proper SSH File Permissions ===== | ||
| Line 117: | Line 117: | ||
<nowiki> sudo chmod -R 700 /home/EXAMPLE_USER/.ssh && chmod 600 /home/EXAMPLE_USER/.ssh/authorized_keys</nowiki> | <nowiki> sudo chmod -R 700 /home/EXAMPLE_USER/.ssh && chmod 600 /home/EXAMPLE_USER/.ssh/authorized_keys</nowiki> | ||
| − | |||
==== SSH Config File Edits ==== | ==== SSH Config File Edits ==== | ||
| Line 149: | Line 148: | ||
Use the below command to restart the SSH service for the changes to take effect: | Use the below command to restart the SSH service for the changes to take effect: | ||
<nowiki>sudo systemctl restart sshd</nowiki> | <nowiki>sudo systemctl restart sshd</nowiki> | ||
| + | |||
== Next Steps == | == Next Steps == | ||
Next steps for configuring this server would be configuring a firewall to control network traffic or configuring Fail2Ban. | Next steps for configuring this server would be configuring a firewall to control network traffic or configuring Fail2Ban. | ||
Revision as of 07:20, 19 December 2023
This page should assist with connecting to the server remotely for the first time, initial configuration, and basic hardening of the server to secure it well enough for basic remote use. The actual process of creating a remote instance varies based on the cloud provider being used and is not covered here, but it is generally pretty simple to do following the documentation of the provider chosen.
Connecting To A Created Server
Using SSH
Connect to the server via SSH using the below standard format, port number (if available), and the root credentials that were created when the server was created (if available):
ssh root@A.B.C.D:E Where A.B.C.D is the IPv4 address of your server and E is the port number (if available).
Perform Any Available System Updates
There are likely several updates that need to be performed to bring the system up to date upon creation, use the below:
Ubuntu/Debian
apt update && upgrade
CentOS/RHEL/Fedora
dnf upgrade
Setting Timezone
New servers are set to UTC by default, use the below to change the timezone to local time if desired.
List the available timezones:
timedatectl list-timezones
Set the desired timezone:
timedatectl set-timezone 'TIMEZONE_NAME_FROM_LIST'
Verify timezone has been set:
date
Setting A Custom Hostname
Setting a hostname can be done using the below:
hostnamectl set-hostname CUSTOM_HOSTNAME
Try to create something specific, relevant, and memorable.
i.e.
web-01-prod
wiki-01-staging
The terminal may not update right away, and you may need to log out and back in to see the changes reflected.
You can also use the 'hostname' command to see the currently configured hostname without logging out and back in.
hostname
Creating Non-Root Users
It's not advisable to use the unlimited access of the root account at all times, and the root account should not be permitted to access the server remotely. Create a limited-user account for the day-to-day tasks that will be performed instead using the below:
Ubuntu/Debian
Create the user:
adduser EXAMPLE_USERNAME
Grant the user sudo privileges:
adduser EXAMPLE_USERNAME sudo
CentOS/RHEL/Fedora
Create the user and set a password for that user:
useradd EXAMPLE_USER && passwd EXAMPLE_USER
Grant the user sudo privileges:
usermod -aG wheel EXAMPLE_USER
Logging In As The New User
Use the exit command to log out of the server, and repeat the steps from 'Connecting To A Created Server' using the credentials for the new user:
ssh EXAMPLE_USER@A.B.C.D:E
Followed by entering the password set for this user.
Securing SSH Access
Password-less Authentication Using An SSH Key
Existing SSH Key
Within the SSH directory on the local machine, not the remote server machine, locate the existing SSH public key. Typically this is located in:
/home/EXAMPLE_USER/.ssh/
SSH Keys are created in pairs, the public key will have the '.pub' extension and the private key will have no extension.
The default names will be id_rsa & id_rsa.pub.
Creating An SSH Key Pair
Use one of the below commands to create a new SSH key pair for use with the server:
Basic key creation with no additional options, press 'enter' at each prompt to use the default options:
ssh-keygen
More advanced key creation with selectable encryption choice and comment for ease of identification later:
ssh-keygen -t [ENCRYPTION_OPTION] -C "IDENTIFYING NAME/EMAIL"
Uploading SSH Key To Remote Server
Use the below command to 'push' the public key to the server:
ssh-copy-id EXAMPLE_USER@A.B.C.D:E
Log into the server and there should be no prompt for a password if done correctly, unless there was a passphrase configured for the SSH key pair when being created.
Proper SSH File Permissions
Use the below command to set custom permissions on the below directory/file, restricting access for editing and modifying those files.
/home/EXAMPLE_USER/.ssh/ directory and /home/EXAMPLE_USER/.ssh/authorized_keys file
sudo chmod -R 700 /home/EXAMPLE_USER/.ssh && chmod 600 /home/EXAMPLE_USER/.ssh/authorized_keys
SSH Config File Edits
The below will disable root login from remote computers, globally disable password authentication when accessed remotely, and other SSH config file changes:
sudo nano /etc/ssh/sshd_config Locate and set 'PermitRootLogin' to 'no' to disable remote root access. Locate and set 'PasswordAuthentication' to 'no' to prevent remote password authentication on all users. Locate and set 'AddressFamily' to 'inet'(IPv4), 'inet6'(IPv6), or comment it out with # for both.
Additionally, the below changes (performed on the LOCAL machine) can be used to make connecting to the remote host simpler:
sudo nano /home/EXAMPLE_USER/.ssh/config
(This file can be created if it does not yet exist)
Host SERVER_ALIAS
HostName A.B.D.C
User EXAMPLE_USER
Port E
IdentityFile /PATH/TO/'''PRIVATE'''/SSH/KEY, probably /home/EXAMPLE_USER/.ssh/id_rsa
Repeat for any additional remote servers that need to be accessed this way.
Then the below command can be used to access the remote host more easily:
ssh SERVER_ALIAS
instead of:
ssh EXAMPLE_USER@A.B.C.D:E
Use the below command to restart the SSH service for the changes to take effect:
sudo systemctl restart sshd
Next Steps
Next steps for configuring this server would be configuring a firewall to control network traffic or configuring Fail2Ban.