Introduction
In this tutorial, we will have a look at a few important tasks to perform in the server for setting up the server and basic server hardening. These steps will increase the security of your server as well as usability. We will perform a series of tasks such as creating a new sudo user, updating packages, setting timezone and securing SSH servers, etc.
Prerequisites
- Cloud VPS or Dedicated Server with Debian 10 installed.
Step 1: Log in via SSH
When your server is created Snel sends you an email with the default username, password, and server IP address. For first time login, you need to use those credentials to log in to your server.
If you’re not familiar with how to connect please have a look at our “How to connect to your server with SSH” article.
Step 2: Change Logged in User Password
Upon the first login, it is very important to change the password of the current user. Use the following command for the same.
passwd
It will ask you to provide your existing password unless you are logged in as the root user.
Step 3: Create a New Sudo User
If you are logged in as root user, it is recommended to create a sudo user. If you are logged in as sudo user with username in format client_xxxxxx_x, which Snel already created for you, it is still a best practice to create a new sudo user.
A Sudo user is a user having superuser privileges. In simple terms, this user can perform administrative commands and tasks as the root user.
To create a new user, run the following command. You can replace the example username happysnel with anything you like.
sudo adduser happysnel
Note: You can omit using sudo command if you are logged in as root user. Provide the required information such as your name and password and a user will be created for you.
client_xxxxx_x@vps:~$ sudo adduser happysnel Adding user `happysnel' ... Adding new group `happysnel' (1001) ... Adding new user `happysnel' (1001) with group `happysnel' ... Creating home directory `/home/happysnel' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for happysnel Enter the new value, or press ENTER for the default Full Name []: Happy Snel Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y
Add your newly created user to the sudo group. Users in the sudo group are sudo user in Debian 10.
sudo usermod -aG sudo happysnel
Step 4: Logging in as the Newly Created User
Exit from the current terminal session by running the logout command and log in again using ssh as the new user.
ssh [email protected]
192.168.0.1 is an example IP address.
Step 5: Disable Root Login via SSH
Find the current setting for root login via SSH by running the following command.
sudo cat /etc/ssh/sshd_config | grep PermitRootLogin
You might see the following output.
[happysnel@vps ~]$ sudo cat /etc/ssh/sshd_config | grep PermitRootLogin PermitRootLogin without-password # the setting of "PermitRootLogin without-password".
As in the above output, it is set to without-password. It means that password authentication is disabled, however, public-key authentication is enabled. Which is fine in most cases. Make sure, it should not be commented out or should not be set to yes.
To completely disable root login, edit the file by running the following command.
sudo nano /etc/ssh/sshd_config
And change the line to the following.
PermitRootLogin no
Save the file and restart the SSH server by running the following command.
sudo systemctl restart sshd
Now, if you will try to login as the root user, it will not let you in.
Step 6: Update Your Server
It is important to install the latest security patches and updates to your server. Run the following command to update the local package lists.
sudo apt-get update
Now, update the packages.
sudo apt-get -y upgrade
Note: If you get any prompts saying an updated package or file is available, but the installed version is modified. Choose keep the local version currently installed option.
Step 7: Setting timezone
You may want your server in the same timezone as you. Run the following command to get a list of available timezones.
timedatectl list-timezones
The list of available timezones is also available here.
Once you have identified your timezone, set it using the following command.
sudo timedatectl set-timezone Europe/Amsterdam
You can confirm the timezone by running the following command.
timedatectl
Step 8: Set Hostname
Check your existing hostname by running the following command.
hostnamectl
You should see a similar output.
happysnel@vps:~$ hostnamectl
Static hostname: vps.snelexample.site
Icon name: computer-vm
Chassis: vm
Machine ID: cfc70e29ed8440108dfa33dd59160dc9
Boot ID: 3ccca50362244cf7a001d1c45d41223f
Virtualization: kvm
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-5-amd64
Architecture: x86-64
To set a hostname, run the following command.
sudo hostnamectl set-hostname host.snelexample.site
Replace host.snelexample.site with your actual hostname. Preferably, it should be an FQDN(Fully Qualified Domain Name). But, if you are not sure if you want to add an FQDN, a label to identify the server also works.
To resolve the hostname in your local server, you will need to add it to /etc/hosts file. Edit the hosts file by running the following command.
sudo /etc/hosts
Append your hostname at the end of the line that starts with 127.0.0.1. For example.
127.0.0.1 localhost host.snelexample.site
Step 9: Configure a Firewall
Debian 10 does not come with a default firewall installed. You can install UFW(Uncomplicated Firewall) by running the following command.
sudo apt-get -y install ufw
First, deny access to all incoming traffic by running the command.
sudo ufw default deny incoming
Also, allow access to all outgoing traffic by running the command.
sudo ufw default allow outgoing
Now, that our default policy is created, let’s allow default SSH port 22 through the firewall. Run the command.
sudo ufw allow 22
You can also run :
sudo ufw allow ssh
As UFW knows that the default port for SSH is 22.
Now, that all our rules are in place, start the UFW firewall by running.
sudo ufw enable
It will ask you for the confirmation, as enabling UFW may disrupt the existing SSH connection. You can go ahead and press y as we already opened port 22 through the firewall. You will get a similar output.
happysnel@host:~$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
You can view the status of the firewall by running the command.
sudo ufw status
You should see a similar output.
happysnel@host:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22/tcp ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 22/tcp (v6) ALLOW Anywhere (v6)
Step 10: SSH Port Change (Optional)
Malicious bots on the internet continuously target the default SSH port 22. You can change it to any other port so that your server is not a victim of continues attacks of bots on port 22. To change the SSH port, open the SSH configuration file again by running the following command.
sudo nano /etc/ssh/sshd_config
Find the line which says
#Port 22
Uncomment it and change it to any port you like between 1024 to 65535.
Eg.
Port 2200
Save the file and exit from the editor.
Open port 2200 from the firewall by running the command.
sudo ufw allow 2200
Since, we no longer need port 22 open, block it using the command.
sudo ufw delete allow 22 sudo ufw delete allow ssh
Now, restart the SSH server by running the following command.
sudo systemctl restart sshd
Also, reload the UFW firewall rules by running the command.
sudo ufw reload
Now, if you will try to login from another terminal without specifying a port, it will not let you in. Modify the SSH command to log in to include the port number.
ssh -p 2200 [email protected]
192.168.0.1 is an example IP address.
Step 11: Reboot
Now that we have gone through updating the packages and configuring the server. Give the server a reboot so that if there are any pending changes, it will be applied.
sudo reboot
Conclusion
In this tutorial, we have learned how to set up a sudo user on newly created Debian 10 instances. We configured hostname, time zone and updated the packages. We also secured our SSH server from basic break-ins.
Now i can't connect from my Webmin to the VPS… Any solution?
Unfortunately, we do not have Webmin support.
Unfortunately, we do not support Webmin also do not have article which I can refer you to