After launch a new server, that was not a full install of my own, I have found that the following steps help get it to a working state with a basic level of security. This is not all inclusive and it really just a baseline. This is specific to Ubuntu, but can be easily modified for any flavor of Linux.
With a service like Digital Ocean, AWS, or any similar service you will be given a basic install with only a root user.
Change the default root password
Start by changing that root password to something that is very complex, and save it somewhere secure.
passwd
This password will only be needed if you lose the ability to login over ssh or lose your sudo password.
Update the system. This will also save time as you start to install your applications, since everything will be nice and updated.
apt-get update && apt-get upgrade
Install Fail2ban
Fail2ban monitors login attempts to a server and blocks IP’s that fail to successfully login too many times. It can be tweaked later on, but works good enough out of the box. Be careful after installing Fail2ban, since you can lock yourself out of your own server if you have more than 3 failed login attempts. If that does happen, just go grab a beer and wait for your own block to expire before logging in again.
apt-get install fail2ban
Setup a New User
Since it is never a good idea to allow root login to your server, now you need to setup a new login user. Replace ‘NewUser’ with whatever you want to use. Make sure the password you use here is complex and keep a note of it. It will be used later on for super user access.
useradd NewUser mkdir /home/NewUser mkdir /home/NewUser/.ssh chmod 700 /home/NewUser/.ssh passwd NewUser
Setup public key authentication
Passwords suck! For secure remote ssh access,public key authentication will provide a much better option. It also simplifies your login process since you don’t have to remember a long and complex password.
vim /home/NewUser/.ssh/authorized_keys
Add the contents of the id_rsa.pub to this file.
chmod 400 /home/NewUser/.ssh/authorized_keys chown NewUser:NewUser /home/NewUser -R
Test The New User and Enable Super User Access
Open a new terminal or ssh session and attempt to login with the NewUser account. It’s really important to keep the original session open to fix thing if you screw up. If the login works, then you can go back to your original terminal to enable Super User access.
visudo
Find the list of users and add NewUser to the list. This will grant Super User access when the user authenticates with their own password.
## Allow root to run any commands anywhere root ALL=(ALL) ALL NewUser ALL=(ALL) ALL
Secure SSH access
Disable root login for ssh and limit logins to a list of ip’s
vim /etc/ssh/sshd_config
Add these lines to the file, inserting the ip address from where you will be connecting from. If you access from different dynamic IP’s (home internet providers, cell phone network), you may want to skip the IP limit.
PermitRootLogin no PasswordAuthentication no AllowUsers [email protected](your-ip) [email protected](another-ip-if-any)
Restart SSH
service ssh restart