Production server environment setup, part 2.
This tutorial will guide you through the initial steps to take once you have created a new Ubuntu 16.04 instance (DigitalOcean droplet).
1. Login to your server using Git (or Putty) replacing ‘SERVER_IP_ADDRESS’ with your DigitalOcean IP address:
$ ssh root@SERVER_IP_ADDRESS
or from Putty by entering username/password
2. Add new user (replace ‘johndoe’ with whatever you want):
$ adduser johndoe
enter password and optionally fill in additional information although to skip this, just hit ‘ENTER’.
3. To add ‘superuser’ (root) privileges to the new user account (replace ‘johndoe’ with whatever you want):
$ usermod -aG sudo johndoe
At this point you are DONE unless you would like to add public key authentication by following the steps below:
To add public key authentication (optional, but recommended), enter the following command at the terminal of your local machine (your computer/ from Vagrant Git command line):
Hit enter to accept the file name and path. Optionally, you can enter a passphrase or just leave blank.
Copy the public key to your server:
$ ssh-copy-id johndoe@SERVER_IP_ADDRESS
Disabling password authentication
Now that your new user can use SSH keys to log in, you can increase your server’s security by disabling password-only authentication. Doing so will restrict SSH access to your server to public key authentication only. That is, the only way to log in to your server (aside from the console) is to possess the private key that pairs with the public key that was installed.
Note: Only disable password authentication if you installed a public key to your user as recommended in the previous section, step four. Otherwise, you will lock yourself out of your server!
To disable password authentication on your server, follow these steps.
As root or your new sudo user, open the SSH daemon configuration:
$ sudo nano /etc/ssh/sshd_config
Find the line that specifies ‘PasswordAuthentication’, uncomment it by deleting the preceding #, then change its value to “no”. It should look like this after you have made the change:
sshd_config — Disable password authentication PasswordAuthentication no
Here are two other settings that are important for key-only authentication and are set by default. If you haven’t modified this file before, you do not need to change these settings:
sshd_config — Important defaults PubkeyAuthentication yes ChallengeResponseAuthentication no
When you are finished making your changes, save and close the file using the method we went over earlier (CTRL-X, then Y, then ENTER).
Type this to reload the SSH daemon:
$ sudo systemctl reload sshd
Password authentication is now disabled. Your server is now only accessible with SSH key authentication.
Now, before you log out of the server, you should test your new configuration. Do not disconnect until you confirm that you can successfully log in via SSH.
In a new terminal on your local machine, log in to your server using the new account that you created. To do so, use this command (substitute your username and server IP address):
$ ssh johndoe@SERVER_IP_ADDRESS
If you added public key authentication to your user, your private key will be used as authentication. Otherwise, you will be prompted for your user’s password.
Note about key authentication: If you created your key pair with a passphrase, you will be prompted to enter the passphrase for your key. Otherwise, if your key pair is passphrase-less, you should be logged in to your server without a password.
Once authentication is provided to the server, you will be logged in as your new user.
Remember, if you need to run a command with root privileges, type “sudo” before it like this:
$ sudo command_to_run
In the next part of this series, we will install a LEMP stack and WordPress on our production server.
If you don’t have an account already, sign up to DigitalOcean using this link which will give you a $10 credit (2 months FREE using a $5/mo droplet!) which also helps support this site.