This article outlines all the basic things to do when you want to build a server to host your websites. Simply put, these are the common practices as an initial server setup. You do can skip this section and your server will still work as usual. Nevertheless, doing the initial server setup will get your server having some basic security measures.
This article should work on either Ubuntu or CentOS operating systems (and on other operating systems with a similar architecture).
1. Change The Default Root Password
Normally, when you’ve just created (purchased) a VPS, a Cloud VM, or an instance, you’ll get a default password to login to your VPS as root.
Depending on your providers, the login details might be sent to you over an unsecured connection. Furthermore, it is a good practice to change the default password.
How can you do that? Simply log in to your server as root using the given password. Next, issue this command:
Type your new password, hit Enter, then type the new password again to confirm. You won’t see the typed password on screen for security reasons.
Make sure you use a strong password combination. Also, make sure you have noted it down somewhere. An easy password will be easy to guess. A strong password will be hard to crack but may also be hard to remember.
2. Create A New User
The “root” user is basically just a default user having administrator privilege. It is a superuser having full access over your server. Despite you can change its password, you cannot change its default username.
However, you can add a new user with superuser privilege and then disable root login. Such a practice prevents abuse and brute force attempts to your server using the root user.
Use this command to add a new user, you can always repeat it to add more:
Change “john” with a username of your choice. You’ll be asked to define a password and to answer some questions. Mostly, you can leave all of them blank except the password and full name.
[email protected]:~# adduser john Adding user
john' ... Adding new groupjohn' (1000) … Adding new user
john' (1000) with groupjohn' … Creating home directory
/home/john' ... Copying files from/etc/skel' … New password: Retype new password: passwd: password updated successfully Changing the user information for john Enter the new value, or press ENTER for the default Full Name : John Gowes Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] y [email protected]:~#
The screenshot pic:
3. Assign Root Privilege to The New User
Now you have added a new user. The next step to do is adding a superuser privilege to that user. Issue this command:
usermod -aG sudo john
From the hereafter, when logged in as your regular user (e.g: john), you can type
sudo before any commands to perform actions with superuser privileges.
4. Change The Default SSH Port
Most providers create new servers with port 22 as the default SSH port. Abusers and hackers can easily guess this port. It is a good practice to change that default port from 22 to another custom port.
You can use any number between 1025 and 65536 as the SSH port replacement. Again, make sure you have noted this port as part of the server login detail. Otherwise, you won’t have access to your server even if you remember the password.
Edit the sshd_config using Nano editor:
Locate #Port 22, delete the # symbol and change 22 to the port number of your choice.
Press Control+O on the keyboard to save, then press Control+X to exit the editor.
5. Disable Root Login
For an even more secure setup, we recommend you to disable login authentication as the root user.
Warning: Please stay login as root before you can confirm that you can log in as the new user having root privilege (sudo). Therefore, if you have problems, you can easily troubleshoot and make any necessary changes as root.
Use Nano editor again to edit the SSH config file:
Find the line with “PermitRootLogin” and change its value from Yes to No.
Next, scroll down to the very bottom and add the following line:
Again, replace John with your own.
Press Control+O to save, then Control+X to exit.
Finally, reload the SSH service:
service ssh reload
Give it a try. Do not close that SSH session. Simply open another SSH session and log in using the newly created username and password. In other words, just open another Putty window to log in.
That’s all. Basically, these steps are the most basic things to do to provide basic prevention towards unexpected attacks.
Wanna bring it a step further? Install a firewall. Depending on which OS you have, the steps will be slightly different.
Ubuntu and Debian users can go with UFW (Uncomplicated Firewall) while CentOS and Fedora users can go with FirewallD.
We don’t include the steps of installing it for two reasons. First, installing a webserver stack or Control Panel usually also installs a firewall. Hence, the process will be easier and automatic. Second, it is better to have a specific article talking about the firewall installation process separately.