Create a new user
The root
user has a lot of power on your server. It has the power to read, write, and execute any file on the server. It’s not advisable to use root
for day-to-day server tasks. For those tasks, use a user account with normal permissions.
Add a new user:
adduser <your username>
Add the user to the sudo
group:
usermod -a -G sudo <your username>
This allows you to perform actions that require root
priveledge by simply prepending the word sudo
to the command. You may need to type your password to confirm your intentions.
Login with new user:
exit ssh <your username>@<your server ip>
Set up SSH keys
SSH keys allow you to login to your server without a password. For this reason, you’ll want to set this up on your primary computer (definitely not a public or shared computer!). SSH keys are very convenient and don’t make your server any less secure.
If you’ve already generated SSH keys before (maybe for your GitHub account?), then you can skip the next step.
Generate SSH keys
Generate SSH keys with the following command:
(NOTE: Be sure to run this on your local computer — not your server!)
ssh-keygen -t rsa -C "<your email address>"
When prompted, just accept the default locations for the keyfiles. Also, you’ll want to choose a nice, strong password for your key. If you’re on Mac, you can save the password in your keychain so you won’t have to type it in repeatedly.
Now you should have two keyfiles, one public and one private, in the ~/.ssh
folder.
If you want more information about SSH keys, GitHub has a great guide.
Copy the public key to server
Now, copy your public key to the server. This tells the server that it should allow anyone with your private key to access the server. This is why we set a password on the private key earlier.
From your local machine, run:
scp ~/.ssh/id_rsa.pub <your username>@<your server ip>:
On your Linode, run:
mkdir .ssh mv id_rsa.pub .ssh/authorized_keys chown -R <your username>:<your username> .ssh chmod 700 .ssh chmod 600 .ssh/authorized_keys
Disable remote root login and change the SSH port
Since all Ubuntu servers have a root
user and most servers run SSH on port 22 (the default), criminals often try to guess the root
password using automated attacks that try many thousands of passwords in a very short time. This is a common attack that nearly all servers will face.
We can make things substantially more difficult for automated attackers by preventing the root
user from logging in over SSH and changing our SSH port to something less obvious. This will prevent the vast majority of automatic attacks.
Disable remote root login and change SSH port:
sudo nano /etc/ssh/sshd_config
Set “Port” to “44444” and “PermitRootLogin” to “no”. Save the file and restart the SSH service:
sudo service ssh restart
In this example, we changed the port to 44444. So, now to connect to the server, we need to run:
ssh <your username>@future.<your domain>.net -p 44444
Update: Someone posted this useful note about choosing an SSH port on Hacker News:
Make sure your SSH port is below 1024 (but still not 22). Reason being if your Linode is ever compromised a bad user may be able to crash sshd and run their own rogue sshd as a non root user since your original port is configured >1024. (More info here)