Securing Your Server

Now that we've created users and added the ability to connect to them via SSH keys, we can setup some additional security around server access.

We'll change some configuration of how SSH allows itself to be connected to on our web application server.

Log In

First, if you are not logged into your server, we can do so using our ssh keys:

ssh -o "IdentitiesOnly yes" -i ~/.ssh/id_series root@45.55.209.211

We're logged in as user root (for now), so we can make the following changes easily.

Check out SSHD Config on server:

We want to edit the SSHD (d for daemon) configuration file on the server. The daemon is the SSH process that allows external connections.

sudo vim /etc/ssh/sshd_config

Some interesting items you may see:

# Permit root login?
PermitRootLogin without-password  # PW auth disabled, but ssh keys are allowed

# General SSH - password auth disabled
PasswordAuthentication no         # Key-only in general

Read more about these available options using man sshd_config.

Turn off Root User login:

We don't want the root user to be able to login over SSH. Instead, we want to enforce the use of the admin user to log in, as they need a user password to run sudo commands. This provides an extra layer of security that simply logging in as the root user does not provide.

# Set to no
PermitRootLogin no

# Also, if applicable, e.g. on AWS
# Deny the user "ubuntu", "ec2-user", "centos" (and so on)
#  Appicable on AWS which creates a user who can run sudo
#  commands with out a password
DenyUsers ubuntu

Turn off Password-based login

Next we'll disallow logging in using a password altogether. Users will only be able to login in using SSH keys.

PasswordAuthentication no

Restart SSH

After saving the changes to the configuraiton file, restart the SSH daemon:

sudo service ssh restart