Use these steps to lock down your cloud instance of code server by only allowing whitelisted users to have SSH access and limit Safari to only HTTPS traffic.
If you don't specify root, you'll use the current user on your machine.
ssh root@<ip_address>
Change the root password.
passwd
Add a new user and assign to the sudo group.
adduser <user>
usermod -aG sudo <user>
TIP: As an alternative to adding users to the sudo group, you can copy the root permissions in visudo
for the new user. This locks the file so no other user or session can mess with the root or sudo
permissions.
Open a new terminal and be certain this newly created account has sudo permissions.
sudo ls -lash /root
If the list of files in the /root
folder displays, it is okay to logout or exit out of the terminal window that is currently logged in as root.
It is preferred that you use a public key to login to the host. Here's how to copy your local public key to the server using secure file copy (SCP).
scp ~/.ssh/id_rsa.pub <user>@<ip_address>:/home/<user>/
Create a ssh directory and apply user’s permissions.
mkdir /home/<user>/.ssh
mv /home/<user>/id_rsa.pub /home/<user>/.ssh/authorized_keys
chown -R <user>:<user> /home/<user>/.ssh
chmod 700 /home/<user>/.ssh
chmod 600 /home/<user>/.ssh/authorized_keys
If you do not have a public key, then here's how to create one on the server.
mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa -b 4096 -C "[email protected]"
If you used the default, then you would have created an id_rsa
and id_rsa.pub
file. Next we need to add the key to the ssh agent. In order to see the status of the ssh agent, run the following command:
eval "$(ssh-agent -s)"
The output should look something like the following if it is running.
> Agent pid 59566
If you're on a recent version of Mac OSX, you'll need to add the key to the SSH config file config
.
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
Finally add the key to the SSH agent
ssh-add -K ~/.ssh/id_rsa
Only perform this step if you have copied in a SSH key and plan to use it for authentication. This will lock you out of your server and will have no way of connecting.
Edit the config file.
vi /etc/ssh/sshd_config
Edit the following lines.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UseDNS no
AllowUsers <user>
AllowUsers: This is a whitelist of allowed users. Add the name of our newly created account here. If you need to allow remote logins for more than one user, add the additional users to the AllowUsers setting separated by spaces.
Restart the SSH server and passwords will no longer be allowed.
sudo systemctl reload sshd
Allow access to SSH client (port 22) and HTTPS (port 443).
sudo ufw allow OpenSSH
sudo ufw allow https
Enable the firewall and make sure the above apps are added.
sudo ufw enable
sudo ufw status
Set the timezone
timedatectl set-timezone America/Los_Angeles
Install NTP (network time protocol) server.
sudo apt-get update
sudo apt-get install ntp
Start or restart the time server
sudo service ntp restart
Verify the time and timezone
timedatectl
May need to add this for using zsh:
chsh -s $(which zsh)