One of my commercial project requires me to setup TRAC to manage the development phase. Hence, I need to secure my server that will host TRAC. I understand this is only basic but should be enough to start with.
Today, I will redirect the SSH to use other port. The idea behind it is that they way to login to the server needs IP Address (hostname), port number, username and password. IP Address/hostname you cannot do anything with this since this is the location of the server. Barebone VPS will use default values for port number (=22) and username (=root). There only left the password is unknown to the public. However, if we change the port number and not permitting root to login via ssh, instead using other user. We can DELAY people to get into your server. I said DELAY because it would be not too dificult to get the port number.
Step 1: login to your vps. I am using VPSFarm again. Check you email to get the password.
Step 2: Change the password to make it easier to you to remember but harder for other people to guess.
To access official Ubuntu documentation, please visit:http://help.ubuntu.com/
root@ubuntu-pristine:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@ubuntu-pristine:~#
Step 3: Add a new user specially for SSH connection, I would give it a name "onin".
root@ubuntu-pristine:~# adduser onin
Adding user `onin' ...
Adding new group `onin' (1000) ...
Adding new user `onin' (1000) with group `onin' ...
Creating home directory `/home/onin' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
password updated successfully
Changing the user information for onin
Enter the new value, or press ENTER for the default
Full Name []: Onin
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y
root@ubuntu-pristine:~#
Step 4: Change SSH setting.
root@ubuntu-pristine:~# vim /etc/ssh/sshd_config
Set these values to:
Port 2987(change to your choiche, on mine it is on line #5 )
PermitRootLogin no (line #26)
X11Forwarding no (line #62)
UsePAM no (line #77)
AllowUsers onin (added new on line #78)
Step 4: Restart SSH server. Do not close this session, for backup connection if somehow your new ssh setting does not work.
a. Test to connect to the server again using old setting, result: does not work! (as expected).
b. Login to the server again to the port 2987 user "root": does not work! (as expected).
login as: root
root@ppa16.vpsfarm.com's password:
Access denied
c. Login to the server using port 2987 and user "onin" : WORKING (hurray!).
Step 5: Now, you are on the server. You have a choice to :
a. sudo su
b. create another user and give this user "admin" rights (the reason, ubuntu usually discourage you work as root and prefer we work using a user with admin rights):
root@ubuntu-pristine:~# su -l root
root@ubuntu-pristine:~# adduser cath
Adding user 'cath' ...
Adding new group 'cath' (1001) ...
Adding new user 'cath' (1001) with group `cath' ...
Creating home directory `/home/cath' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
password updated successfully
Changing the user information for cath
Enter the new value, or press ENTER for the default
Full Name []: Cath
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y
root@ubuntu-pristine:~# visudo
The content of mine
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
cath ALL=(ALL) ALL <-- add "cath" to here!
I opt b) for future references. That's all for today. See you next time!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment