This page is part of the Beginner’s Tutorial: Learn How To Setup, Manage Your Own VPS/Cloud Server With Multiple WordPress Sites – For Beginners.1. Initial server login and hardening as root user
The first thing you should do on a server is harden it. This means securing it so that it’s less vulnerable to attacks.
To log in to your server, you need the server’s IP address. You should have gotten in at the end of the [previous tutorial](https://isabelcastillo.com/deploy-vultr). If not, you can find it in your Vultr account dashboard. Click on the name of your server to see the server information page. The IP address is listed there. Copy the IP Address (not IPv6 Address).
To log in to your server, open a terminal window (or Git Bash) and type the following command, but replace `IP` with your server’s IP address:
ssh root@IP
You’ll be asked to confirm the connection with a message like this:
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Type yes and press Enter.
2. Change root User’s Password
The first time you log in to your server as the root user, you should should change the password.
Enter the command to change root user’s password:
passwd
Enter your new password, then press Enter.
You will not see anything as you type the password. This is normal.
You’ll be asked to confirm your new password. Enter it again, then press Enter.
Important: Please keep a secure record of this password for your server’s root user. Back on the Vultr page for this server, the server information page on Vultr shows the initial password for the server. When you change the password (as you just did), the server information page on Vultr will not reflect the change. So you must keep a secure record of the new password you just set.
3. Add New User
Add new new non-root user, but with ability to invoke root user priviliges.
cd /home
In this example, my new user name is `isa`. You can use any name you like, but it’s best to keep it short and simple.
(keep usernames lowercase)
adduser isa
You’ll be asked to enter a New password for this new user. Enter your desired password. Be sure to make a note of it somewhere.
Then type Enter times to accept the default values for the next 5 prompts.
They type y and enter.
Add the new user to the www-data group:
(replace isa with your new username)
“`bash
sudo usermod -aG www-data isa
“`
To verify that you’ve been added to the group, you can use the groups command followed by your username:
“`bash
groups isa
“`
In the list of groups that is displayed, you should see www-data.
**Next:**
Delete ‘ubuntu’ default user, adding the --remove-home option to also remove the home directory:
deluser ubuntu --remove-home
For Future Reference: To delete a user: deluser isa
For Future Reference: To change the password of a user: use the passwd command and the name of user, like this: passwd isa
Otherwise, if you just type passwd, it will change the password of the current user.
4. Set nano as Default Editor
Ensure the nano is set as default editor:
update-alternatives --config editor
In the results, the default text editor has an asterisk next to it.
If nano is not default, type the Selection number of nano, and press enter.
5. Give New User Root Privileges
Give the new user root privileges:
visudo
Scroll down to:
# User privilege specification root ALL=(ALL:ALL) ALL
Add a line underneath that with your user name, then tab, then the 4 “ALL”s need to be entered exactly as the line above. So, the section should look like this after you enter your user line:
(Replace isa with your username)
# User privilege specification root ALL=(ALL:ALL) ALL isa ALL=(ALL:ALL) ALL
Save your changes to the file: CTRL + o, then Enter
Exit nano: CTRL + x
6. Prevent Root Login
This is a safety measure to prevent unauthorized access to your server. You’ll still be able to log in as the new user you created. And you can still do anything the root user can do by using the sudo command.
To prevent root login, you must edit the sshd_config file.
First, make a backup copy of the file.
cd /etc/ssh/
Back up sshd_config:
cp sshd_config sshd_config.bak
Open the sshd_config file for editing in the “nano” text editor:
nano sshd_config
Change this line: PermitRootLogin yes
to PermitRootLogin no
Save your changes to the file: CTRL + o, then Enter
Exit nano: CTRL + x
To enable the changes you just made to sshd_config, you must restart the SSH service:
systemctl restart ssh
Exit from the server as root user. You’ll no longer be able to log in as root user.
exit
7. Initial server hardening as non-root user
The next time you log in to your server, you’ll log in as the new user you created. We will continue hardening and securing the server as the new user.
Be sure you have exited from the server as root user.
8. Upload your Public SSH Key
Upload your public ssh key. In the following command, change user to your username (the user you created above), and change IP to your server’s IP address.
ssh-copy-id -i .ssh/id_rsa.pub user@IP
(If that doesn’t work, you can do it instead in a more manual way like this.)
Then, try to log in to make sure it worked:
(Replace user with your username)
(Replace IP with your server’s IP address)
ssh user@IP
You should be able to log in without being asked for a password. If you are asked for a password, type CTRL + c to cancel. Then try it instead this way, in which the i option lets it know the path to your private ssh key:
ssh -i .ssh/id_rsa user@IP
If you are still asked for a password, then the public key wasn’t uploaded correctly. You can try again or try the manual method in the link above.
9. Optional: Shortcut for SSH Login – Alias
To make it easier to log in to your server, you can create a shortcut in your ~/.bashrc file.
An alias is just a short word that you designate for logging in to a server. You can use any word you like. In this example, I’ll use dev as the alias.
This works like a shortcut that allows you to log in to the server simply typing ssh followed by the alias:
ssh dev
…instead of typing the full ssh command with the username and IP address.
To create the alias, make sure you’re NOT logged in to the server. If unsure, you can log out by typing exit and pressing Enter.
Create a local config file in your local .ssh directory:
nano ~/.ssh/config
Add the following lines to the file, replacing username with your username and IP with your server’s IP address. And of course, replace alias with your desired alias:
Host alias HostName IP User username IdentityFile ~/.ssh/id_rsa ServerAliveInterval 60 ServerAliveCountMax 120
After you paste the lines into the file, save your changes to the file:
CTRL + o, then Enter.
Exit from nano: CTRL + x
Logging in to Server With an Alias
Now you can log in to the server using the alias that you designated.
To test that it works, log in to the server like this (change alias to the alias that you set):
ssh alias
Note – Multiple aliases
You can add more servers to this config file, just skip a line between servers, for example:
Host server1 HostName ip_address User username IdentityFile path/2/private_key_file ServerAliveInterval 60 ServerAliveCountMax 120 Host server2 HostName ip_address User username IdentityFile path/2/private_key_file ServerAliveInterval 60 ServerAliveCountMax 120
Give each server it’s own alias on the Host line. In this example, the aliases are server1 and server2.
10. Enable Public Key Authentication and Disable Password Authentication
To further secure your server, you should disable password authentication and enable public key authentication.
Be sure you’re logged in to the server as your new user.
Open the sshd_config file for editing:
sudo nano /etc/ssh/sshd_config
Scroll down to the section: # Authentication:.
Remove the # to enable this line:
#PubkeyAuthentication yes
Under that, remove the # to enable this line:
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
Search for:PasswordAuth, then use Alt + w until you find this line:
#PasswordAuthentication yes
Change the yes to no and remove the # to enable the line. Result:
PasswordAuthentication no
Save your changes to the file: CTRL + o, then Enter.
Exit nano: CTRL + x
Restart the SSH service to enable the changes you just made:
sudo systemctl restart ssh
11. Backup your SSH Key
To prevent losing access to your server, you should back up your private SSH key.
Your private SSH key should be on your local computer, in the .ssh directory of your user account. It’s just a file named id_rsa.
Use the 3-2-1 Backup Rule:
The 3-2-1 backup rule is an easy-to-remember acronym for a common approach to keeping your data safe in almost any failure scenario. The rule is:
- Keep at least three (3) copies of your data,
- and store two (2) of the copies on different types of storage media,
- with one (1) of them located offsite.
So, you should keep your private SSH key in at least 3 places:
- On your local computer
- On a USB drive or external hard drive at your home or office
- On a USB drive or external hard drive at a different location, such as a family member’s house. (I’m not sure if this is a good idea, just a thought.)
12. Update the Server
Before you do anything else, you should update the server. This will update the package list and install any available updates.
Update the server:
sudo apt update
Then upgrade the server (this can take a while, like 10 minutes, so go have a cup of tea or coffee after you run this command):
sudo apt upgrade
– If you get a question asking, “Which services should be restarted?” Leave options as is, hit tab to go to “Enter” and tap Enter.
– If asked to choose “install package” or “Keep your currently installed” , choose to keep the currently installed one.
When it’s finished, run this command to clean up any unused packages:
sudo apt autoremove
After some high-level updates, you must reboot the server. Do:
sudo reboot
That will log you out of the server. Wait a few minutes for the server to reboot, then log in again with your new user (or with the alias you set up).
With the user and IP address you used above, do this (but change user and IP to your username and server’s IP address):
ssh user@IP
Or with the alias you set up, do this (but change alias to your alias):
ssh alias
13. Firewall Setup
cd
sudo ufw status verbose
We want inactive. So ONLY If active, do:
sudo ufw --force disable
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
If asked, Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Answer y.
Confirm that ports 22, 80, and 443 are open:
sudo ufw status verbose
sudo reboot
Wait a few minutes for server to reboot, then log back in to server and confirm that our rules persisted after reboot:
Confirm that ports 22, 80, and 443 are still open:
sudo ufw status verbose
14. Install Fail2Ban
Fail2Ban is a security tool that monitors your server’s logs for suspicious activity and bans the IP addresses of attackers.
Install Fail2Ban:
sudo apt install fail2ban
cd /etc/fail2ban
sudo cp jail.conf jail.local
sudo nano jail.local
User CTRL + w to search for bantime. Keep using Alt + w until you find the first one that’s not commented out:
# "bantime" is the number of seconds that a host is banned. bantime = 10m
Change these 3 consecutive lines:
Change bantime from 10m to 604800s
Change findtime from 10m to 10800s
(3 hours)
Change maxretry from 5 to 3
Next, search for [sshd] (in brackets). In that section, find the #mode line and remove the # to enable it:
mode = normal
And in the same mode line, change normal to aggressive:
mode = aggressive
Then, under the last line in that section (backend = %(sshd_backend)s) add this line:
enabled = true
Save your changes to the file: CTRL + o, then Enter.
Exit nano: CTRL + x
Restart the Fail2Ban service:
sudo systemctl restart fail2ban
Ensure it persists after reboot:
sudo systemctl enable fail2ban
Check the status of Fail2Ban:
sudo systemctl status fail2ban
It should be “active”.
Reboot the server:
sudo reboot
After waiting a few minutes for the server to reboot, log back in to your server and check that fail2ban is still running:
sudo systemctl status fail2ban
You want to see like: “Active: active (running)”
Coming up next
In the next tutorial, we’ll install the software needed to run a website on your server. This includes the rest of the LAMP stack. You already have Linux (Ubuntu). Next we’ll install and secure Apache, MariaDB, and PHP. After that, we’ll install WordPress and secure it.
Questions and Comments are Welcome