command line, linux

How to secure server

After accessing your brand new server it is highly recommended to change a few things to increase security.

Firstly, change the root password

# passwd root

Secondly, we do not want to use root directly, so create new user:

# adduser user

Add user to sudo group, allowing him to execute commands with root privileges

# usermod -aG sudo user 

In CentOS add to wheel group

# usermod -aG wheel user 

On your local machine create ssh key (if do not have one)

$ ssh-keygen -t rsa -b 4096 -C "[email protected]"

It should have created a new key pair in ~/.ssh

Copy PUBLIC key to your server

$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

Then you can login using it (now use private key)

$ ssh -i ~/.ssh.id_rsa [email protected]

To increase security, create sshgroup and add user to it

$ sudo groupadd sshgroup
$ sudo gpasswd -a user sshgroup

Then allow only users which belongs to this group to login via ssh. Edit the file /etc/ssh/sshd_config and set

AllowGroups sshgroup

Add some more options

PermitRootLogin        no 
PasswordAuthentication no 
PermitEmptyPasswords   no
UsePAM                 no

Then restart sshd service and you should be ready to go

$ sudo systemctl restart sshd

What has been done:

  • changed root password
  • disabled root login
  • created new user with sudo privileges
  • allowed only users from sshgroup to login via ssh
  • not allowed to login via ssh using password