How to create your first secure, ready-to-use web server
In this guide, we will look at some of the best practices for creating your first secure server . We will step through the entire process step by step, and as a result we will get a server that is fully ready for use in production for your application. Of course, this is not an exhaustive guide. A secure server is a constant search for new resources and endless improvements. But with this material you can start creating your own infrastructure.
To run the tests, we will use Amazon EC2, but you can take Amazon LightSail, Digital Ocean, Vultr, or another service. All of them are configured the same, so choose the one that you like.
First, create a pair of keys that some hosts will need when installing the server. You can skip this and some other steps if you decide to create your own pair of keys when starting the server on Amazon.
')
We will create SSH keys using ssh-keygen.
As a result, we get two files: id_rsa and id_rsa.pub (private and public keys). Never pass your private key to anyone .
Detailed instructions for creating keys can be found here .
We import the newly created public key into the Amazon platform.
Install a virtual machine running Ubuntu in Amazon EC2. The setting is described in detail here :
Warning: some of the following steps can be configured on the Amazon home screen. But since this is a general guide that can be used for other services, we’ll talk about default configurations.
We are accessing the virtual machine via SSH.
We write in the terminal:
Create a new user account named “wizard”:
Give the “wizard” permission to execute sudo. Open the file:
And set the content:
Create directories:
Copy the public key (PATH-TO-PUBLIC-KEY) and paste it into the remote instance /home/wizard/.ssh/authorized_keys. Set permissions:
We update all installed packages.
Change the SSH port from 22 to 2201. To configure the firewall (ufw, Uncomplicated Firewall, simple firewall), open the file / etc / ssh / sshd_config:
and change this data:
Restart the SSH service:
Configure Uncomplicated Firewall (UFW) so that only incoming SSH connections (port 2201), HTTP (port 80), and NTP (port 123) are passed through.
Set as local time zone UTC:
Select the option 'None of the Above' and again UTC.
To disable we enter:
and then add the key.
This must be done in Amazon. Let's set the SSH port, which we will use also on Amazon.
Now you can connect to the server on the new port as a new user:
Now you have a server ready to serve your application.
To run the tests, we will use Amazon EC2, but you can take Amazon LightSail, Digital Ocean, Vultr, or another service. All of them are configured the same, so choose the one that you like.
Create public and private SSH keys
First, create a pair of keys that some hosts will need when installing the server. You can skip this and some other steps if you decide to create your own pair of keys when starting the server on Amazon.
')
We will create SSH keys using ssh-keygen.
$ ssh-keygen -t rsa -b 4096 As a result, we get two files: id_rsa and id_rsa.pub (private and public keys). Never pass your private key to anyone .
Detailed instructions for creating keys can be found here .
Importing a public key into Amazon
We import the newly created public key into the Amazon platform.
- Go to the management console Amazon .
- Click AWS services → Compute> EC2
- Click on the left menu Network & Security → Key Pairs
- Click “Import Key Pair” and load the public key (id_rsa.pub)
Create your virtual machine
Install a virtual machine running Ubuntu in Amazon EC2. The setting is described in detail here :
- Go to the management console Amazon .
- Click AWS services → Compute → EC2
- Select the instance to run.
- Choose one of the images. In our case, it will be Ubuntu Server 16.04 LTS (HVM), with an SSD-drive (but you can choose what suits you best).
- Choose a virtual machine (according to your needs). Click “Review” and “Launch”.
- Open a new tab and import the created public key into Amazon.
- Here we will be asked to “choose an existing key pair or create a new key pair”. Click "select an existing key pair"). Select the previously loaded key.
- Click “Launch Instances”.
- Click on the link of the virtual machine that we just created.
Warning: some of the following steps can be configured on the Amazon home screen. But since this is a general guide that can be used for other services, we’ll talk about default configurations.
Connect to the new server
We are accessing the virtual machine via SSH.
We write in the terminal:
$ ssh <USR>@<IP-ADDRSS> -p 22 -i <PATH-TO-PRIVT-KEY> <USR>: Linux user. In the case of Amazon, use ubuntu, on other services - root<IP-ADDRSS>: The IP address of the virtual machine we created. This field is "Public DNS (IPv4)" in the tab "Description" of our server.<PATH-TO-PRIVAT-KEY>: the full path to the previously generated private key (for example, /Users/flavio/.ssh/id_rsa).-i <PATH-TO-PRIVAT-KEY>: you can skip this if you added the key to your SSH agent.
We give access to the new user
Create a new user account named “wizard”:
$ sudo adduser wizard Give the “wizard” permission to execute sudo. Open the file:
$ sudo nano /etc/sudoers.d/wizard And set the content:
wizard ALL=(ALL) NOPASSWD:ALL Create directories:
$ mkdir /home/wizard/.ssh # create authorized_keys file and copy your public key here $ nano /home/wizard/.ssh/authorized_keys $ chown wizard /home/wizard/.ssh $ chown wizard /home/wizard/.ssh/authorized_keys Copy the public key (PATH-TO-PUBLIC-KEY) and paste it into the remote instance /home/wizard/.ssh/authorized_keys. Set permissions:
$ chmod 700 /home/wizard/.ssh $ chmod 600 /home/wizard/.ssh/authorized_keys We provide security
We update all installed packages.
$ sudo apt-get update $ sudo apt-get upgrade Change the SSH port from 22 to 2201. To configure the firewall (ufw, Uncomplicated Firewall, simple firewall), open the file / etc / ssh / sshd_config:
$ sudo nano /etc/ssh/sshd_config and change this data:
Port 2201 PermitRootLogin no PasswordAuthentication no # add this to avoid problem with multiple sshd processes ClientAliveInterval 600 ClientAliveCountMax 3 Restart the SSH service:
$ sudo service ssh restart Configure Uncomplicated Firewall (UFW) so that only incoming SSH connections (port 2201), HTTP (port 80), and NTP (port 123) are passed through.
# close all incoming ports $ sudo ufw default deny incoming # open all outgoing ports $ sudo ufw default allow outgoing # open ssh port $ sudo ufw allow 2201/tcp # open http port $ sudo ufw allow 80/tcp # open ntp port : to sync the clock of your machine $ sudo ufw allow 123/udp # turn on firewall $ sudo ufw enable Configuring server clocks
Set as local time zone UTC:
$ sudo dpkg-reconfigure tzdata Select the option 'None of the Above' and again UTC.
Disconnect and add our key to the SSH agent
To disable we enter:
$ exit and then add the key.
Adding Port Permissions to Amazon
This must be done in Amazon. Let's set the SSH port, which we will use also on Amazon.
- Go to the management console Amazon .
- Click AWS services> Compute> EC2
- Click on the left menu Network & Security → Security Groups
- Choose a security group related to our virtual machine.
- Click Action> Edit Inbound Rules
- Click “add rule” (“Add Rule”) and set: Type: Custom TCP, Port Range: 2201, Source: 0.0.0.0/0 and Description: SSH
Connect with new data
Now you can connect to the server on the new port as a new user:
$ ssh wizard@<IP-ADDRESS> -p 2201 -i <PATH-TO-PRIVATE-KEY> Now you have a server ready to serve your application.
Source: https://habr.com/ru/post/347500/
All Articles