In this post I’ll be assuming no linux knowledge whatsoever. I’ll be showing the first couple of things you need to do with a new server and will also be introducing you to some basic commands and programs.
I have frequently extolled the virtues of getting a VPS. There are a great many advantages for people wanting to learn more about the Net, Linux and security in general. A Virtual Private Server is simply a server that is hosted as a virtual machine for you. This allows you to reformat it with a variety of operating systems very quickly. You can experiment with different distros without having to dual boot or make lots of usb drives or even have a dedicated machine running linux. Another advantage of using a VPS is that you are getting a server, rather than a desktop, image. Also, when you pick an operating system your system is pretty much up and running from the very start.
For those of you who want to get started but don’t want to sacrifice your precious windows machine this is ideal. I must admit this was how I felt a few years ago. Thankfully, that time has long passed. You can use putty (an SSH/telnet client) to access your server from your windows system. Putty has all the options you could wish for. It even saves profiles so you can login with one click. Putty is also available for linux, however, you can just use the command line which is what I will be doing.
I use Bhost as their basic Iron package is very cheap, their uptime is good and there is plenty of bandwidth and storage for the simple tasks I want to do. So we will be using Bhost as our example service, however it is a similar process with other providers. When you first get into the control panel of your VPS, accessed through your web browser, you will have to decide which distro to install. I will be working with Ubuntu, though this example should work nearly identically for any debian based distro.
After you have selected your distro, you will need to make a root password. This should conform to the usual good password rules: long, uses lower case and caps, uses numbers and special characters, is NOT a dictionary word!
The responsibility for running a server is a great way to learn but it is a serious responsibility and you should approach the process with that in mind. Why is it a responsibility? Well, this is a whole server, live on the internet. It’s not like a blog or hosted site where really your only responsibility is keeping your password secure so your site can’t be easily hacked. This server is going to be totally under your control so, perhaps for the first time, you are in charge of the whole thing. This means if it is hacked, and later I’ll show you example of how aggressive these people are, it’s not just spam comments and dodgy links on a website but someone potentially in control of your whole system. This means they could add you to their botnet say and launch attacks from your server. And when those who are attacked start looking for who is responsible, which IP address do you think they’ll find? That’s right, it’s going to be yours.
Don’t be put off by this, just be aware that the security of this system is going to be your responsibility. Ok, lecture over, you’ve got your server set up, got your root password, what’s next?
Well, you have 5-6 things to do:
- Login VIA SSH
- Create a user for yourself
- Give the new user sudo (root) privileges
- Disable root login via SSH
- Update your system
- Configure firewall
- Enjoy your new VPS (optional!)
Let’s go through them:
Login VIA SSH
Once ready, your VPS will have an IP address, it will be in the options or details in your VPS control panel. Note it down.
SSH uses the format user@hostname for access. Exactly the same format as an email address. Just now, your VPS won’t have a hostname so we will use the IP address in the same way. In our example we will pretend that your IP address is 123.456.12.21. The only user you have currently is root so the format will be:
If you are using putty enter that in the top bar, check that it is set to SSH on port 22 and click connect. If you do not specify a user, and just put in the IP or hostname, you will be prompted to enter a user, so it’s just better to get into the habit of using the user@hostname format. If you are using a linux machine (my examples will be for Ubuntu) it is a much simpler process. Simply press ctrl+atl+t to open a terminal window and enter:
Whichever method you use you will be promoted for your password, enter it and you’re in.
(Note: some VPS services allow you to set a hostname [url], and also extra users, if you have set a hostname use it instead of the IP)
Create a user for yourself
Ok, you are in. You should be seeing something like:
Welcome to Ubuntu 11.10 (GNU/Linux 2.6.18-308.8.2.el5.028stab101.1 i686)
* Documentation: https://help.ubuntu.com/
Last login: Mon Feb 18 20:37:14 2013 from XXXXXXX
Note that you are shown both the last time and the last IP that you signed in from. Get into the habit of scanning that line every time. Be on the lookout for logins from a time or place that you don’t recognise. This can be an indication that your machine has been compromised. Be aware that this is not by any means a 100% infallible method, as a competent hacker would change this to hide their tracks, however, it’s one possible way to catch an intrusion.
Now, you are going to need to make a user for yourself. Why not cruise around and do everything as root? Well, in the linux world that’s about the worst crime you can commit. The root user can do anything and while that sounds attractive, the goal here is to make a user and give them the same privileges in a controlled setting. To make a user you use the adduser command. Let’s call our new user bob
Go through the steps, you don’t have to enter anything like name or room or phone, just leave them blank and hit enter to go through them. You will be prompted for a password, use the usual good password techniques and do not under any circumstances use the same password as the root password.
Now you have created a user for yourself and it is set up automatically to have a home directory and space on the system. Adduser is a command in linux and, like so many linux commands, it has multiple additional options. To see what additional options are available you can read the manual entry for a command. To do this simply type man and then the name of the command. So:
will show us all the options available for that command. Sometimes if man doesn’t appear to give you what you want try using the info command in the same way. To exit a man page just press q.
Give the new user sudo (root) privileges
Now that you have your user you will need to give it the permissions required to actually do things on the system. The goal here is to equip the user with the power of root, to perform tasks like updating or loading new software, without having to use the root account.
Why? Well, quite simply when your user does any of there actions they will be executed through the command/program sudo this will require a your password to do things and a record of this will be kept. This means on larger systems, for example, you could have multiple users without the sudo privilege and just one or two with it. This means that a “normal” everyday user can use the system, use the programs, create and save files in their own area and not have the power to do anything that could interfere, corrupt or damage the system (that said they could of course still bring in malware via USB or web/email links).
You should have a few users with the sudo privilege and they are in effect the system administrators. Because they have this privilege they can make changes to the system and its users but will be doing so from their own accounts and with their own passwords: there will be a record in essence of who did what. That is, as everything is in the linux world, a really simple explanation, you can tailor privileges and powers for users in linux in a much more finely tuned way, however, just now we are concerned with getting you up and running so the bottom line is you need to give your account the power of root via sudo.
It is also possible to create sudo powers that are not “root” privileges, but rather the privileges of another specialized user. A prime example of this is at Web software companies like Amazon or Yahoo where they may have “builder” scripts that can build parts of the system using new code contributed by developers. Sudo is used to run those scripts under the special builder user rather than with full root privileges.
So, how do we give bob sudo power? Well, we need to add him into what is called the sudoers file in the main root directory. The sudoers file is located in /etc/sudoers and there are many ways to edit it.
If you are new to linux you probably have not encountered the wonderful world of text editors yet. Text editors are programs which allow you to open, edit, save and create new files. There are several text editors to choose from and several are preloaded into your system. A very simple text editor is nano which is great for popping into a file making a simple change and getting back out again. To try it out just type nano into the command line and there it is. You’ll notice helpful instructions at the bottom. Don’t be confused by the inclusion of the ^ symbol next to the commands, it just means ctrl. So to exit nano just press ctrl+x. To open a particular file in nano you can just type nano followed by the file name if you are in the same directory as it or you can specify the path. So if you are still in the system as root and just type
You can open the sudoers file.
You will notice at the top of the file a line which says
# This file MUST be edited with the ‘visudo’ command as root.
So, we won’t actually make changes to the file from here. For now, hit ctrl-x to exit nano. We’ll get back to the sudoers file in a minute…
First, you should know that there are many other editors to try, vi is a popular one which comes standard almost everywhere. Personally I use an editor called emacs which people jokingly describe as an operating system in itself. Emacs is much more than editor and allows fine control over virtually everything. It uses a lot of shortcut style key combinations and can appear a little confusing at first, however, a lot of the combinations, like ctrl+e to get to the end of a line, are actually the same as you would use in the terminal window. So not only is emacs great in its own right but learning it has a major extra benefit in making you better with the command line in general. Emacs also has a GUI option so it can be run in the desktop. Shockingly emacs is not installed by default in ubuntu. We’ll get into installing software later but if you want to use it just type: apt-get install emacs as root and then it will run with the emacs command in the same way nano and vi does.
Now, back to the sudoers file and visudo…
Visudo is a special script which uses your preferred editor to change the sudoers file in a safe way, protecting you from the scourge of typos and other mistakes that could render your sudoers file useless or worse — insecure. By default, most Ubuntu systems use nano as the prefered editor for visudo. You can check this and change the preferred editor using the select-editor command. (See here for more information.)
Now you can open the sudoers file with:
So, you’ve got the sudoers file open to edit with visudo, what do you actually do? Well, you are simply going to add your user in to the bottom section like this:
bob ALL=(ALL) ALL
And then save the file. (In nano, that’s ctrl-o to save and ctrl-x to exit.)
Now that bob has sudo rights lets check that it’s all working. First we need to switch to user bob. So let’s use the su command.
Since you were running as root, you didn’t have to type in bob’s password. If you’d been running as any other user, su bob would have required you to know bob’s password to move on.
Now we are bob. We can make sure that’s the case with the command
Now, let’s try to use sudo.
ls is the command that lists the contents of a directory. When you run sudo ls, the system will ask you for bob’s password. Type it in correctly and you will see one of two results. If bob has sudoer privileges, you’ll see a list of files. If bob does NOT have the privileges, you will see an error that says
bob is not in the sudoers file. This incident will be reported.
We have to switch back to root to issue some command. Since we switched into bob from root typing exit should get us back. If in doubt, log back in as root.
Disable root login via SSH
You are almost there, but there’s one more thing to do while you are setting up. You should disable root login via SSH.
There are several things that you should do when using SSH to ensure good security and security of your server. However, disabling root login is the first thing to do.
SSH runs on port 22 of your server. Hackers and bots set up by them constantly scan the internet and look at which ports are open on a machine. When they find port 22 open frequently bots or scripts try to login. When you look at the logs of these attempts (stored in /var/logs) you will see that what is actually happening is an attempt to login as root (often they try admin as well) the idea being that if you can get into a server which has left root available via SSH you have all the power.
These attempts are going to happen to any server on the Net and you should not think that you are special in any way if you find that you are being attacked in such a manner. Mostly these attempts use wordlists as passwords so if you are following the good passwords rules then you are safer, but you should still take the time to remove root access.
Another thing you can do is to move your SSH away from port 22, we’ll cover that in another post.
We’ll edit the configuration file for SSH using nano. In linux nearly all configuration happens in text files, so get used to it!
This assumes that you are root. If you are bob, the command would be
sudo nano /etc/ssh/sshd_config
Now read down the lines in the file until you find PermitRootLogin. Change the “yes” to “no”, save the file (ctrl-o) and exit (ctrl-x).
The last thing to do here is restart your ssh server.
sudo service ssh restart
If you are root, you do not need to use sudo. However, you can use sudo with root, and this is quite good, as all events are logged. Consider this a habit you might want to get into.
When you restart the ssh, it may kick you out. If not, type exit. Now, try logging in as email@example.com
You should get in.
These are the very basic things to do when setting up a VPS. I will cover firewalls and other commands in future posts, but for now you can login to your VPS safely knowing that root access will be denied.