After you have created a new Debian 8 server, you will have to perform a couple of configuration steps early on as part of the basic setup. These steps should improve the security and the usability of your server and provide you with a solid foundation for subsequent actions.
To log into your server, you are going to need to know your server’s public IP address and the password for the ‘root’ user’s account.
In case you haven’t already connected to your server, go ahead and login as the root user with the following command, replacing the highlighted word with your server’s public IP address.
local$ ssh [email protected]_IP_ADDRESS
Finish the login procedure by confirming the warning about host authenticity. If it shows up, provide it with your root authentication (password or private key).
If this is your first-time logging into the server using a password, you should be prompted to replace the root password with something better.
The root user is the administrative user in a Linux environment which will have a broad amount of privileges. This is because the heightened privileges of the root account. It’s discouraged to use this on a regular basis since one of the power inherent with the root account is the ability to cause quite destructive changes, especially by accident.
Next you will want to set up an alternative user account with a reduced scope of influence for day-to-day work. You will demonstrate how you may gain increased privileges in the times of needing them.
Create a New User
After you have logged in as root, you should be ready to add the new user account which you will use to login from now on.
In the following example you’ll show you how to create a new user, just make sure you replace the example user name ‘demo’ with whatever you would like:
You will be prompted to answer a couple of questions, beginning with the account password.
Provide a strong password and, optionally, fill in any of the additional information; this step is needed so you may just hit ‘ENTER’ in any field you wish to skip.
Now, there’s a brand-new account with regular account privileges but you might still have to do some administrative tasks.
There’s a way to avoid needing to log out of your normal user and log back in as the root; setup a user known as ‘super user’ or root privileges for our normal account. This should grant our normal user the ability to run commands using administrative privileges by using the word ‘sudo’ before every command.
Debian 8 does not come with sudo installed, so you’ll have to install it with apt-get.
To begin, update the apt package index.
Afterwards, use this command to install sudo
apt-get install sudo
You should now be able to use the ‘sudo’ and ‘visudo’ commands
Grant Sudo Privileges
To append those privileges to your new user, add the new user to the ‘sudo’ group. By default, on Debian 8, users who belong to the ‘sudo’ group will have the permission to use the ‘sudo’ command.
As root, use this command to add your new user to the sudo group, replacing the highlighted word below with your new user.
usermod –a –G sudo demo
Now your user should be able to use commands with super user privileges.
Add Public Key Authentication (Recommended)
In this step, you will demonstrate how you can secure your server by setting up public key authentication for your new user.
Setting this up will increase the security of your server by requiring a private SSH key to log in.
Generate a Key Pair
In case you didn’t already get a SSH key pair, which consists of a public and private key, you will have to generate one.
If you already have hold of a key that you would like to use, then you can skip to the ‘Copy the Public Key’ step.
To be able to generate a new key pair, simply use the following command at the terminal of your local machine (ie. Your computer).
If your local user is called ‘localuser’, you should see an output which looks like the following below.
ssh-keygen output Generating public/private rsa key pair. Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
Hit ‘Enter’ to accept this file name and path unless you would like a new name.
You should be prompted for a passphrase to secure the key with; you could either type a passphrase or just leave it empty.
If you leave the passphrase blank, you will be able to use the private key for authentication without having to enter a passphrase. If you enter a passphrase, you’ll require both the private key and the passphrase to log in.
Securing your keys with passphrases is quite secure but both methods have their uses, more than just a basic password authentication.
This is going to generate a private key,’ id_rsa’, and a public key, ‘id_rsa.pub’, in the ‘.ssh’ directory of the ‘localuser’s’ home directory.
Remember that the private key is not something which should be shared with anybody who does not need the access to your servers.
Copy the Public Key
Once you have generated an SSH key pair, copy your public key to your new server. There are two easy ways to do this
Option 1: Use ssh-copy-id
If your local machine has the ‘ssh-copy-id’ script installed, you may use it to install your public key on any user which you would like to have the login credentials for.
Run the ‘ssh-copy-id’ script by entering the user and IP address of the server that you would like to install the key on, as shown below.
local$ ssh-copy-id [email protected]_IP_ADDRESS
Once you have given your password at the prompt, your public key will be added to the remote user’s ‘.ssh/authorized_keys’ file. The corresponding private key may now be used to log into the server.
Option 2: Manually Install the Key
Once you have generated an SSH key pair, you may use the following command at the terminal of your local machine to print your public key (id_rsa.pub).
local$ cat ~/.ssh/id_rsa.pub
This will print out your public SSH key and will look like the following.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf [email protected]
Copy the public key to your clipboard.
Add Public Key to New Remote User
To be able to enable the use of a SSH key to authenticate it as the new remote user, you will have to add the public key to a special file in the user’s home directory.
On the server, as the root user, type in the following command to change to the new user replacing ‘demo’ with your own user name.
su - demo
You should now be in your new user’s home directory.
Make a new directory named ‘.ssh’ and limit its permissions using the following commands.
mkdir .ssh chmod 700 .ssh
Open a file in ‘.ssh’ named ‘authorized_keys’ using a text editor. You will need nano to modify the file.
Now put in your public key, which should still be in your clipboard, by pasting it into the editor.
Hit CTRL-X to quit the file, then ‘Y’ to save the changes that you have made and hit ‘enter’ to verify the file’s name.
Now limit the permissions of the ‘authorized_keys’ file using the following command shown below.
chmod 600 .ssh/authorized_keys
Enter this command once to go back to the root user.
You can now SSH login with your new user using the private key as authentication.
Since you now have a new account, you may secure your server a bit more by editing its SSH daemon configuration, the program which allows us to enter remotely, to disable remote SSH access to the root account.
Start by entering the configuration file using your text editor as root.
In here, you will get the option to disable root login from SSH; this is a more secure setting because you have accessed our server using your normal user account and can escalate privileges when required.
To disallow remote root logins, you must look for the line which looks like the following.
You may edit this line to ’no’ if you would like to disable root login:
Disabling the remote root login is highly suggested for every server.
After you have finished editing, you may save and exit the file with the method you discussed previously (CTRL-X, then Y, then ENTER).
Since you have done changes, you have to restart the SSH service so that it uses the new configuration.
Enter the following command to restart SSH:
systemctl restart ssh
Before you log out of the server, you will need to test our new configuration to make sure it’s all working. You won’t want to disconnect until you’ve verified that the new connections are established successfully.
Open a new terminal window and once you’re in the new window, you have to start a new connection to our server. This time, you will not use the root account, you’ll want to use the new account that you’ve made.
local$ ssh [email protected]_IP_ADDRESS
You will now be prompted for the new user’s password which you configured. Once that’s done, you should be logged in as the new user.
Reminder that if you’d like to run a command with root privileges, type sudo before, as shown in the following.
If everything is okay, you may exit your session by simply entering the following.
You should now have a solid foundation for your Debian 8 server, you may install any of the software you require.