Securing your Ubuntu VPS and Creating Users – Ubuntu VPS Setup # Part1

This entry is part 1 of 6 in the series Ubuntu VPS Setup

securing-ubuntu-vpsBought a VPS and thinking how to manage it? Well, you’ve just come to the right place. In this series, (which succeeds our Network Admin in SSH series), we are going to talk about everything that you need to know for a successful VPS Setup on Ubuntu. We will be using Ubuntu Server (11.04 onwards) to install and activate our Web Server.

But before you start though, make sure you are capable enough to deal with the following assumptions:

  1. You know the basics of Network Admin commands. If not, check our guide here.
  2. You have an unmanaged VPS to which you are able to login using SSH. Check this guide if you are not sure how.

At the end of this series, you will be familiar with the following concepts:

  • Creating a secure system on Ubuntu Server with your own user (instead of Root).
  • Creating different users for different websites.
  • Using Apache Virtual Host Concept to host different sites from the same VPS.
  • Properly installing LAMP stack on Ubuntu.
  • Further securing your PHP scripts using suPHP (and a few tricks to get suPHP running on Ubuntu).
  • Installing PHPMyAdmin and securing it to have easier access to databases.
  • Install your very first WordPress website on your awesome VPS.

In this part #1 of the series Ubuntu VPS Setup, we are going to discuss on two topics:

  1. Creating a secure system on Ubuntu Server with your own user (instead of Root).
  2. Creating different users for different websites.

So let us start.

#1: Creating your own user for secure SSH:

SSH through root user is not at all a good idea if your server is hosted using Ubuntu. It gives a sudo command and sudoer group from where you can execute sudo commands from another user. This saves all the trouble you might get into by accidentally performing some super user stuff and thereby keeping your system in a comatose stage. Let us how.

#1.1: Login in Root first:

You should have received at least three things while buying the VPS:

  1. Your server IP address. (say it is, 8.8.8.8)
  2. Root user password.

The SSH port is 22 by default (for VPS) so we do not need to worry about that. Fire up a terminal and login as root first (using SSH of course).

ssh root@8.8.8.8

This will show you a first time warning:

The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established.
RSA key fingerprint is SOMETHINGHERE.
Are you sure you want to continue connecting (yes/no)?

Enter yes and it will prompt for your password. Put your password and you will be logged in.

#1.2: Add a new user:

As root we are going to create a new user. Use any username you want. For this, we are going to use mike. Run the following command:

adduser --shell "/bin/bash" mike

This will prompt for a few things and a password. Enter them (you can leave everything except the password blank if you wish) and you are done.

#1.3: Add the new user to sudoer group:

We will give admin (and thereby sudo) privilege to the user mike. To do this, we are going to edit the sudoer file. Execute the following command

visudo

This will open the sudoer file with your default text editor, in case of ubuntu it is nano. Find the line which says:

root    ALL=(ALL:ALL) ALL

Below it add:

mike ALL=(ALL:ALL) ALL

Press Ctrl + X, followed by Y and then press Enter. This will save the file.

#1.4: Add new user to the SSH list:

Now, edit the /etc/ssh/sshd_config file.

nano /etc/ssh/sshd_config

At the end of it, add

AllowUsers mike #replace mike with your username

And save the file (Ctrl +X, Y, Enter). Now restart the SSH server.

service ssh restart

Now we should test if the new user is able to login through SSH.

Open up another terminal (Ctrl + Alt + T) and execute the following command:

ssh mike@8.8.8.8

It should prompt you for your password and let you pass. If not, comment below and we shall see the problem.

#1.5: Block root SSH:

As root, again open the /etc/ssh/sshd_config file

sudo nano /etc/ssh/sshd_config

Find the line which says

PermitRootLogin yes

And change it to

PermitRootLogin no

Restart the SSH server

sudo service ssh restart

And done. You will no longer be able to login as root.

#1.6: Changing the SSH port:

The default port is 22, which you should change in order to stop attack from outside world. To do this, again edit the /etc/ssh/ssh_config file

sudo nano /etc/ssh/ssh_config

And then find the line which says

Port 22

And change it to

Port 25000

Use any port number you like between 1024 and 65536. You need to remember the port number.

Now restart the SSH server.

sudo service ssh restart

And login like this:

ssh -p 25000 mike@8.8.8.8

Now your SSH access is secured.

#2: Creating Users for your WebSites:

So, the very reason why you bought the VPS is perhaps host your websites. Now, if you are planning to host multiple sites, then you probably wouldn’t want the scripts of one website to destroy that of the others. To prevent this, we will be creating different users for different sites. We are assuming, we would be hosting three sites:

  • The default site, referred as localhost, which would show up if opened through the IP address of the VPS.
  • A WordPress site, referred as wordpress, which is hosted at mywordpress.com.
  • A PHPMySQL site, referred as phpmysql, which is hosted at IP_ADDR/phpmysql and is strictly protected.

We will be using lower level useradd command to create users. We could also have used adduser, but since it is supported only in Debian, so we are going to use commands which are distro independent.

#2.1: Create the first localhost user and default directory skeleton:

User the commands below to add the user (as root).

useradd -m localhost
passwd localhost

Create the default directories. Execute the commands as root.

cd /home/localhost
mkdir public_html
mkdir backups
mkdir log
chown -Rv localhost:localhost /home/localhost

Now, we also need to set umask to 0022 in order to make suPHP work (in future). Edit the ~/.bashrc

sudo nano /home/localhost/.bashrc

and add the following at the end of the file

#umask set to 0022 for default Web Server Configuration
umask 0022

Save and you are done.

#2.2: Create Other users:

Execute the following commands as root.

useradd -m -k "/home/localhost" wordpress
passwd wordpress
useradd -m -k "/home/localhost" wordpress
passwd wordpress

This will make sure that the rest of the users, ie, wordpress and phpmyadmin will have default directory structure. Why do we need these directories? You will understand in the upcoming posts where we actually put things to work. Also make sure that these users have umask set to 0022, else it will create problem in future.

#3: Remove everything first:

At this point our user setup is ready. Next we would have to install the LAMP stack. But before we proceed, we shall purge everything that is already installed by executing the command below. If you are on a fresh installation and have not installed, then you can skip this.

root@iTgProbook:/home/localhost# apt-get purge apache2 apache2-mpm-prefork apache2-utils apache2.2-common libapache2-mod-php5 libapr1 libaprutil1 libdbd-mysql-perl libdbi-perl libnet-daemon-perl libplrpc-perl libpq5 mysql-client-5.5 mysql-common mysql-server mysql-server-5.5 php5-common php5-mysql libapache2-mod-suphp

So that’s it for this part of the series. Coming up next, we shall see how to install Apache2 and use the Virtual Host concept of apache2 to host your sites using the same VPS.

Some Notes:

  1. If you are not able to use nano, then do
    sudo apt-get update
    sudo apt-get install nano

    And it will install the nano editor.

  2. If you are doing all these on your local computer, then I would recommend adding system users, by appending -r options to the useradd command. This will keep your login screen free of all clutters.
  3. If you want to know in more detail about what the useradd and passwd does, I recommend reading this article.

Conclusion:

That is it for the first part. Coming next, is installation of apache server with virtual host concept (so that you can host more than one site on your single VPS). If you have any queries about anything discussed here, feel free to ask through comments.

1 Comment

Leave a Reply