After you’ve made a new Debian 8 server, you’ll have to do a couple of configuration steps which you’ll need to take early on as part of the basic setup. That should improve the security and the usability of your server and provide you with a solid foundation for subsequent actions.
To log into your server, you are going to need to know your server’s public IP address and the password for the “root” user’s account.
In case you haven’t already connected to your server, go ahead and login as the root user with the following command (replace the highlighted word with your server’s public IP address):
local$ ssh root@SERVER_IP_ADDRESS
Finish up the login procedure by confirming the warning about host authenticity, in case it shows up, provide it with your root authentication (password or private key). If It’s your first time logging into the server, using a password, you are going to be prompted to replace the root password with something better.
The root user is the administrative user in a Linux environment which will have a broad amount of privileges. This is because of the heightened privileges of the root account. It’s discouraged to use it on a regular basis, Since one of the power inherent with the root account is the ability to cause quite destructive changes, even if by accident.
What we’ll want to do next is to set up an alternative user account with a reduced scope of influence for day-to-day work. We’ll demonstrate how you may gain increased privileges in the times of needing them.
Create a New User
After you’ve logged in as root, we should be ready to add the new user account which we’ll use to login from now on.
In the following example we’ll show you how you can create a new user, just make sure you replace the example user name “demo” with whatever you’d like:
You’ll be prompted to answer a couple of questions, beginning with the account password.
Provide a strong password and optionally, fill in any of the additional information in case you’d like that, It’s not needed and you may just hit “ENTER” in any field you’d like to skip.
Now, we’ve got ourselves a brand new account with regular account privileges. But, we might have to do some administrative tasks.
There’s a way to avoid needing to log out of our normal user and log back in as the root, what we can do is setup a user known as “super user” or root privileges for our normal account. This should grant our normal user the ability to run commands using administrative privileges by using the word sudo before every command.
Debian 8 is not going to come with sudo installed, so we’ll have to install it with apt-get.
To begin, update the apt package index:
Afterwards, use this command to install sudo:
apt-get install sudo
You’ll now be able to use the sudo and visudo commands.
Grant Sudo Privileges
To append those privileges to our new user, we have to add the new user to the “sudo” group. By default, on Debian 8, users who belong to the ”sudo” group will have the permission to use the sudo command.
As root, use this command to add your new user to the sudo group (replace the highlighted word with your new user):
usermod –a –G sudo demo
Now your user should be able to use commands with super user privileges.
Add Public Key Authentication (Recommended)
In the following step, we’ll demonstrate how you can secure your server by setting up public key authentication for your new user. Setting this will increase the security of your server by needing a private SSH key to log in.
Generate a Key Pair
In case you didn’t already get an SSH key pair, which consists of a public and private key, you have to generate one. If you already have hold of a key that you’d like to use, you can skip to the Copy the Public Key step.
To be able to generate a new key pair, simply use the following command at the terminal of your local machine (ie. Your computer):
If your local user is called “localuser”, you should see an output which looks like the following:
ssh-keygen output Generating public/private rsa key pair. Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
Hit return to accept this file name and path (unless you’d like a new name).
Now, you should be prompted for a passphrase to secure the key with. You could either type a passphrase or just leave it empty.
What happens when you leave the passphrase blank is that you’ll be able to use the private key for authentication without having to enter a passphrase. In case you enter a passphrase, you’ll require both the private key and the passphrase to log in. Securing your keys with passphrases is quite secure, but both methods will have their uses and are very secure, more than just a basic password authentication.
This is going to generate a private key, id_rsa, and a public key, id_rsa.pub, in the .ssh directory of the localuser’s home directory. Reminder that the private key isn’t something which should be shared with anybody who doesn’t need the access to your servers.
Copy the Public Key
Once you’ve generated an SSH key pair, you’ll have to copy your public key to your new server. We are going to cover two easy ways to do this
Option 1: Use ssh-copy-id
In case your local machine has the ssh-copy-id script installed, you may use it to install your public key on any user you’d like to have the login credentials for.
Run the ssh-copy-id script by putting in the user and IP address of the server that you’d like to install the key on, like shown in the following:
local$ ssh-copy-id demo@SERVER_IP_ADDRESS
Once you’ve given your password at the prompt, your public key is going to be added to the remote user’s .ssh/authorized_keys file. The corresponding private key may now be used to log into the server.
Option 2: Manually Install the Key
Once you’ve generated an SSH key pair with the previous step, you may use the following command at the terminal of your local machine to print your public key (id_rsa.pub):
local$ cat ~/.ssh/id_rsa.pub
This is going to print out your public SSH key, it is going to look like the following:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf firstname.lastname@example.org
Copy the public key to your clipboard.
Add Public Key to New Remote User
To be able to enable the use of SSH key to authenticate it as the new remote user, you’ll have to add the public key to a special file in the user’s home directory.
On the server, as the root user, type in the following command to change to the new user (replace ‘demo’ with your own user name):
su - demo
You should now be in your new user’s home directory.
Make a new directory named .ssh and limit its permissions using the following commands:
mkdir .ssh chmod 700 .ssh
Next, open a file in .ssh named authorized_keys using a text editor. We’ll need nano to modify the file:
Now put in your public key (it should still be in your clipboard) by pasting it into the editor.
Hit CTRL-X to quit the file, then Y to save the changes that you’ve mad, and hit enter to verify the file’s name.
Now limit the permissions of the authorized_keys file using the following command:
chmod 600 .ssh/authorized_keys
Enter this command once to go back to the root user:
You can now SSH login with your new user, with the private key as authentication.
Since we’ve now got our new account, we may secure our server a tiny bit more by editing its SSH daemon configuration (the program which allows us to enter remotely) to disable remote SSH access to the root account.
Start by entering the configuration file using your text editor as root:
In here, we’ll get the option to disable root login from SSH, This is usually a more secure setting because we’ve accessed our server using our normal user account and escalate privileges when required.
To disallow remote root logins, we have to look for the line which looks like this:
You may edit this line to “no” as such, if you’d like to disable root login:
Disabling the remote root login is highly suggested to do on every server.
After you’ve finished editing, you may save and exit the file with the method we’ve went over before (CTRL-X, then Y, then ENTER).
Since we’ve done our changes, we have to restart the SSH service so it uses our new configuration.
Enter the following command to restart SSH:
systemctl restart ssh
Before we log out of the server, we will need to test our new configuration to make sure it’s all working. We won’t want to disconnect until we’ve verified that the new connections are established successfully.
Open a new terminal window and once you’re in the new window, we have to start a new connection to our server. This time, we will not use the root account, we’ll want to use the new account that we’ve made.
local$ ssh demo@SERVER_IP_ADDRESS
You will now be prompted for the new user’s password which you configured. Once that’s done, you should be logged in as the new user.
Reminder that if you’d like to run a command with root privileges, type sudo before, as shown in the following:
If everything is okay, you may exit your session by simply entering the following:
You should now have a solid foundation for your Debian 8 server, you may install any of the software you require.