The Hotel Hero

Notes by a Sysadmin


Cluster | Philosophy | Stack

New server setup (debian)

January 12, 2021 | Stack

Setting up a new server can be a repetitve task. The following is a LAMP stack setup (Linux, Apache(2), MySQL (could be MariaDB), PHP).

First spin up an instance/VPS/PS of your OS. If you are not very familiar with the UNIX-like world, choose a Debian based OS (such as Debian or Ubuntu) with long term support (LTS). By default, any system compliant with the POSIX standard (basically every one except Windows), is pretty secure out of the box. The insecurities usually arrives as soon as we start tinkering arround with it. 

On a clean server you usually get a root user account, in contrast to a desktop PC (Linux). So, by the principle of least priviledged, we want to make a new user to operate from. 

ssh root@<server_ip>

Type in your password and approve the certificate.

To add a new user, use the following command:

adduser <new_user>

"new_user" should be changed to your choosen username and follow the instructions.

Add the user to the "sudoers" group (Super user), this will allow the new user to temporarily escalate priviledges to root.

usermod -aG sudo <new_user> 

Start new session, to bring it to effect. So, logout (type "exit" in the terminal).

Now, from your local machine it is (by some) "recommended" only access your server by SSH certificate. But, I personally don't like that idea. So, instead of denying login by password, I prefer to have both password and certificate access to servers. Instead denying login from "root" seems like a god idea. So, in the following we will do all of that.

There are two good reason for using OpenSSH asymmetric key certification. First if you operate several servers, figuring out what passwords is for which account can be annoying (and you don't have to type a password if you use pub/priv certificates). Secondly, if you start to deploy automation into your infrastructure the certificates are almost mandatory.

cd ~/.ssh/ (this is the default dir, SSH looks for. But, you could stor the key on a USB stick)
ssh-keygen

The above will ask for a name for the key (don't use some reveiling like your_domain.com).

ssh-copy-id -i ~/.ssh/<your_new_key.pub> <new_user>@<server_ip>

You will be asked to provide your "new_user" password, this first time to confirm your identity. That's it now try "ssh <new_user>@server_ip" you should go directly thru.

But, IF you are like me (and have nuked the same server 30 times and started from scratch) you might se this message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

You then need to overwrite the ip at known hosts.

ssh-keygen -f "~/.ssh/known_hosts" -R <server_ip>

and everything should be fine.

Now you are able to access you server with openssh assymetric encryption priv/pub cert. (It may not seem secure, but as long as you don't change permission on anything in the ".ssh" dir and no one has access to your laptop it is pretty secure.)

Disable ssh login by root user.

The reason for disabeling the root, is mainly because you absolutely don't want anyone to access your system with root priviledges. But, secondly and probably the more "sound" is that 95 % (just my estimation), of all Brute Force attempts on SSH is on the "root" user. If you have 30000 attempts on an hour and a weak password for root, it must be considered as a risk/thread. Said in another way, people tend to put all emphasis on strong passwords, but hiding the user and the door is also part of the game.

On the server side (I use "nano" with pride):

sudo nano /etc/ssh/sshd_config

Change the following line from "yes" to "no":

PermitRootLogin no

Restart ssh:

sudo service ssh restart

("service" is obsolete, but I still use it as it is faster. If you head in to trouble using the "service" command, use "systemctl" instead.)

Update (patch) your system

In contrast to Windows, Linux is made for high availabillity. So, in many cases you do not need the last command "reboot" unless told otherwise.

To check if any new versions are available in the "apt" package manager use the command:

sudo apt update

If you want to upgrade all the packages use:

sudo apt upgrade

And if you want to reboot your server (usually not nessesary, as this is not Windows), then use:

sudo reboot

For your server to resolve domain names, these have to be added to the domain names to /etc/hosts file:

sudo nano /etc/hosts

and type in the domains.

127.0.0.1    localhost
127.0.1.1    <domain1.com> <domain2.org>

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
<143.149.71.167> <domain1.com> <domain2.org>

You should also change the hostname file:

sudo nano /etc/hostname

and change it to your primary domain.

Now, you would typically install a LAMP or a LEMP stack, and afterwards implement LetsEncrypt certificate with Certbot. And finally your application!


About

I'm a Sysadmin, network manager and cyber security entusiast. The main purpose of this public "notebook" is for referencing repetitive tasks, but it might as well come in handy to others. Windows can not be supported! But all other OS compliant with the POSIX-standard can (with minor adjustments) apply the configs on the site. It is Mac OSX, RHEL and all the Fedora based distros and Debian based (several 100's of OS's), all the BSD distros, Solaris, AIX and HP-UX.

Links