Kernic

Just my toughts.

Securing a Root Server #1: Users and SSH

· by Kernic
Category: Server
Tags:#tech, #security, #linux

The first part of my series on securing a root server. Here, I show how to set up users correctly and configure SSH securely. Basic but important steps for anyone running their own server.

🔊 Read out blogpost
📥 Download MP3

Although I’ve been officially renting a root server for many years, I’ve had very little idea about how to properly set up and secure one. In the past, a friend of mine, with whom I share the server, took care of it. Thanks to a Black Friday deal from my host, Netcup, we were able to get a much better server for the same monthly price. The downside: you have to migrate everything from A to B. And guess who didn’t have time… Since I wanted to start this blog on the new server, I decided to sit down and do it myself.

🗨️ As the title suggests, I’ll be publishing a short series on securing a root server. If you don’t have any experience yet, be sure to read the entire series once it’s fully published.

I’m just going to assume that you already have Linux installed on your server. We’re using a minimal Debian 11, so completely without a graphical interface. This and the following guides are therefore based on Debian, but should also work on Ubuntu.

After a server is set up by the provider, few programs are pre-installed and most configurations are at their default values. For access credentials, you usually receive an IP and/or domain as well as a password for the root user. The root user is the administrator of the Linux system and can do anything and everything on a system. Your first task should therefore be to secure this user as much as possible.

Setting Up Users

sudo instead of root

The first step is to connect to your server via SSH. If you’re using Linux or macOS, you’re in luck. SSH is already pre-installed on both systems. Starting with Windows 10, Microsoft also includes SSH with its operating system. So, open the Terminal (Linux, macOS) or PowerShell or the Command Prompt. You can connect to your server with the following command:

ssh USERNAME@domain.tld

Replace domain.tld with your own domain or the IP address you were given. After pressing the ENTER key, you will be asked on the first connection if the server’s fingerprint is correct. Confirm the prompt by typing yes and pressing ENTER. Next, you need to enter the password your host sent you. Welcome to your server.

❗First things first, you should update your system to the latest version! On Debian, you can do this with: *apt-get update && apt-get upgrade The root user is the system administrator and has all permissions on the system. Therefore, you should never log in as root on your system again. On the contrary, we will later even prevent logging in as root. But to do that, you first need to create an alternative - a new user.

Replace USERNAME with a username of your choice. You will then need to set a password and confirm it. The subsequent questions are optional, so you can leave them blank. With that, you have created a user with limited privileges. This will be the only user you use to connect to your server.

Since the user has limited rights, you need to create a way to execute commands and actions that require administrator privileges. Linux has long provided a simple tool for this, which allows you to execute a command with root privileges: sudo. However, to prevent just anyone from using sudo, a user must be assigned to the sudo user group. You do this with the following command:

Summary:

  • You have connected to your server for the first time.
  • Your system is now up to date.
  • A user with limited privileges has been created.
  • The user has been assigned to the root user group and is therefore able to use sudo to elevate their privileges.

SSH Configuration

Disabling root and adjusting SSH configuration

Disconnect from the server by typing exit, and then reconnect. But not as root, but with your username.

ssh USERNAME@domain.tld

SSH is the only direct connection to your server. It is the front door to your system and should be secured accordingly. This means disabling old, insecure features, prohibiting root login, and preventing you from staying logged in permanently.

To edit the SSH configuration, open the configuration file with administrator rights. This will be your first time using sudo. You will therefore need to confirm the execution of the command with your password again. I use the text editor nano, but of course, you can use any other. If you use nano, you can delete entire lines with CTRL+K, and save and close the file with CTRL+X. The commands at the bottom of the screen are invoked with CTRL+Letter. So ^X means CTRL+X. You have now changed and saved the configuration. However, this does not make it active automatically. SSH reads the configuration at startup. Since SSH is already running, the configuration will not be re-read. You must therefore restart SSH for your settings to take effect - depending on the Linux distribution, this is either ssh or sshd.

sudo systemctl restart ssh	# Debian/Ubuntu
sudo systemctl restart sshd 	# CentOS / RHEL / Fedora / Redhat Linux

❗Never disconnect your SSH connection after a configuration change, first check your access!

Now, make absolutely sure you haven’t locked yourself out. You won’t notice this in your current connection, as it won’t be interrupted by a configuration change. Nevertheless, you could have locked yourself out. Therefore, open a new, additional terminal or PuTTY window and connect to your server again. If this works, you haven’t locked yourself out and can close the old connection.

You’ve done it. Your server is now a whole lot more secure. Only current protocols are used for the connection, and login as the administrator is disabled.

Additions

Further Tips and Explanations

Changing the SSH Port

Many guides also recommend changing the SSH port. By default, this is set to port 22. The idea behind this is that a potential attacker will first try their attack on port 22. Changing the port is supposed to make an attack more difficult. This might have made sense in the past when every connection was cumbersome. Nowadays, it takes less than 20 milliseconds to find the actual port. In return, you would have to specify with every connection that it’s not using the standard port. So, a loss of convenience for you, with no real security gain.

Keyfile instead of Password

In the configuration mentioned above, we allowed login with a password. This is the easiest option for beginners with the lowest risk of locking themselves out. However, it is better to log in with a keyfile and disallow passwords. Then no one can guess the password, and without a keyfile, you can’t get onto the server. The risk: if you lose the keyfile, you lose access to your server.

Because of the risk and because creating keyfiles works differently depending on the operating system, there will be a separate guide on this in this series.

Look beyond the horizon

This guide was written so that you can secure your server even without prior knowledge. That’s good for getting started, but it’s also important that you understand what you’re doing and why. Be sure to read the documentation for the programs and commands mentioned here. You can get a brief description by appending –help to the command. You can find more details by searching for the command in a search engine or by typing the following:

man COMMAND

Try to understand what you are doing and why you are doing it. Only then can you assess whether my guide is correct, up-to-date, and suitable for you!