Thursday, September 24, 2015

12 Things do to after just started your DigitalOcean VPS

Recently I helped one of my client to setup a VPS on DigitalOcean (DO). The price is very competitive (the cheapest plan is $5 per month) and they offer SSD as the storage. I highly recommend to give a try if someone is looking for a virtual hosting.

Actually a VPS is just a server running on other location. Once you subscribe a plan and start to OS, it's your responsibility to maintain the system.

The steps below are to enhance the security once the server is deployed ( we are using Ubuntu 14.04 in this case). The objective is to harden the server so that it can only be accessed from a client with ssh

1. Setup ssh keyfrom a linux server at home or office. Assumed you have a linux client with a user "user1"

$ ssh-keygen  -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Created directory '/home/user1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/
The key fingerprint is:
SHA256:LM1rjFVAjo5Q/8kMkcBxH8UcXdH23n5RijI8EQcH45Q user1@client1
The key's randomart image is:
+---[RSA 2048]----+
|   .+ooo++B*..oo |
|   ..o.= =Eoo   o|
|  .   + o oo   ..|
|   . o O o.     o|
|    . o S. . . oo|
|       = .= . ..o|
|      . +  +   ..|
|       .        o|
|                .|

2.  Login the Digital Ocean and open the console and login as root.
3. Create a user "user1" on the server
useradd -m user1
4. copy and paste the file /home/user1/.ssh/ generated at step1 to /home/user1/.ssh/authorized_keys.
5. chmod 700 /home/user1/.ssh; chmod 640 /home/user1/.ssh/authorized_keys
6. Now, you should be able to ssh from the client. But port 22 is a well known service port for SSH. We are going make ssh more secure by change the service port
7. Edit /etc/ssh/sshd_config . Change the service port to another number (eg 2222)
#Port 22
Port 2222
8. setup sudo. Grant user1 to run sudo
Run visudo and the line
# User privilege specification
root    ALL=(ALL:ALL) ALL
9. Test sudo for user1
passwd user1
su - user1
sudo su -

if we can run sudo then disable root login
passwd -l root
10. Install ufw (uncomplicated firewall)
# apt-get install ufw
11. setup firewall
ufw enable
# Default deny all incoming connection
ufw default deny incoming
# Then allow ssh at port 2222
ufw allow 2222/tcp
# If it is a web server then open port 80
ufw allow 80/tcp
# Check the status
ufw status
Status: active

To                         Action      From
--                         ------      ----
2222/tcp                   ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
2222/tcp (v6)              ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)

12. Test ssh from client
ssh user1@server -p 2222


No comments: