Advertisement
Guest User

Untitled

a guest
Jun 23rd, 2017
71
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.27 KB | None | 0 0
  1. A general checklist for setup. If you are not familiar with the terminal and characters like **#** and **$** put the fear in you then you've made poor life choices and are here by mistake. Immediatly submit your letter of resignation and rage quit. Please note: no one is going with you.
  2.  
  3. # 1. Don't be a groot
  4.  
  5. > With great power comes great responsibility.
  6.  
  7. > -- someone said this
  8.  
  9. SSH into server as root and create a new, general purpose user.
  10. 1. `# ssh root@server_ip`. Complete the login process by accepting the warning about host authenticity, if it appears, then providing your root authentication (password or private key). If it is your first time logging into the server with a password, you will also be prompted to change the root password.
  11. 2. `# adduser <username>` where <username> is your username **without** the <>. Supply a password and follow the prompts.
  12.  
  13. > **PROTIP**: I like to use my client system username so when I SSH back in I may do so by simply supplying the hostname or IP (eg: `$ ssh <hostname_or_ip>` instead of `$ ssh <username>@<hostname_or_ip>`).
  14.  
  15. 3. Establish superuser privilges for your user: `# usermod -aG sudo <username>`.
  16.  
  17. # 2. Public Key Authentication
  18. Setting this up will increase the security of your server by requiring a private SSH key to log in.
  19.  
  20. ## Generate/Obtain Key
  21. This is done on the client maching, **YOUR COMPUTER**. Do you already have a public key?
  22. * Yes: `$ cat ~/.ssh/id_rsa_pub | pbcopy`. Copies your existing public key to clipboard. (`pbcopy` is OSX only).
  23. * No (shame on you!): `$ ssh-keygen` - you can skip this in the future now and say yes (above)
  24.  
  25. _ssh-keygen output_
  26. ```
  27. Generating public/private rsa key pair.
  28. Enter file in which to save the key (/Users/<username>/.ssh/id_rsa):
  29. ```
  30.  
  31. > Hit return to accept this file name and path (or enter a new name).
  32.  
  33. > Next, you will be prompted for a passphrase to secure the key with. You may either enter a passphrase or leave the passphrase blank.
  34.  
  35. > **Note**: If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.
  36.  
  37. ## Manually install the key **ON THE SERVER**.
  38. You'll need to be logged into your server for this.
  39. 1. `# su - <username>`
  40. 2. Create and set permissions for **.ssh** directory: `$ mkdir ~/.ssh && chmod 700 $_`.
  41. 3. Install key:
  42. * `$ vim ~/.ssh/authorized_keys`
  43. + `i` key to enter edit mode in _vim_ and **CMD+V/CTRL+V** to paste.
  44. + `ESC` key to enter visual mode.
  45. + `:wq!` to save and exit _vim_.
  46. 4. Restrict the permissions of the _authorized_keys_: `$ chmod 600 ~/.ssh/authorized_keys`
  47. 5. `$ exit` to exit back to **root** user.
  48.  
  49. Let's test it.
  50. + `# logout` to logout of the server.
  51. + Now, from your client terminal (your computer) let's login:
  52. * If you used the nifty protip previously then your local username is the same your username on the server and you may `$ ssh <hostname_or_ip>`
  53. * If you prefer the harder life you didn't follow the protip and you will `$ ssh <username>@<hostname_or_ip>`
  54.  
  55. > If all this crap worked then you logged into your server **without** a password unless you specified a _passphrase_ when setting up your key.
  56.  
  57. > If you're not logged in then you **do not** follow directions well and you should feel bad or your system is borked and you should probably consider updating your resume.
  58.  
  59. # 2.5 Disable Password Authentication (Extra Credit! But not really you should totally do this.)
  60.  
  61. > **Please don't be an asshat!** Only disable password authentication if you installed a public key to your user as recommended in the previous step. Otherwise, you will lock yourself out of your server! **No one wills save you if you eff this up.** Thank you.
  62.  
  63. 1. `$ sudo vim /etc/ssh/sshd_config`
  64. 2. Locate and uncomment the following and update the value to _no_.
  65.  
  66. _from this_
  67. ``` bash
  68. # PasswordAuthentication yes
  69. ```
  70.  
  71. _to this!_
  72. ``` bash
  73. PasswordAuthentication no
  74. ```
  75.  
  76. While you're in _/etc/ssh/sshd_config_ verify the following values are represented:
  77.  
  78. ``` bash
  79. PubkeyAuthentication yes
  80. ChallengeResponseAuthentication no
  81. ```
  82.  
  83. > PROTIP: VIM is amazing. If you don't know how to use VIM then you're not amazing but, that's okay. If you're not amazing you'll have to use the arrow keys to navigate around. Delete the hash to uncomment the line by posiiton the cursor over the **#** character and **smack the `d`** (the key on your keyboard - don't get confused here). Use the arrows again to position the cursor over the attribute value `yes` and hit the `i` key to enter "interactive" mode. From here you may use the DELETE and BACKSPACE functionality to replace **yes** with **no**. Hit the `ESC` key to exit interactive mode (you're now in visual mode) and thenn `:wq!` to save and exit.
  84.  
  85. 3. Reload your SSH daemon: `$ sudo systemctl reload sshd`.
  86.  
  87. # 3. Set Up a Basic Firewall
  88. Step three is also performed on the server. Not gonna explain all of what's happening here. Just do it.
  89. 1. `$ sudo ufw allow OpenSSH && sudo ufw enable`. Proceed with the operation when prompted.
  90.  
  91.  
  92. ---
  93. **_Thank you for playing sysadmin today. Go forth, build cool shit and do good at it._**
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement