You can do this with a virtual box (ex: Vagrant & VirtualBox), an EC2 instance on AWS, a Droplet on Digital Ocean, and a variety of other ways/services.
- Launch EC2 instance on AWS (ubuntu 16.04 or something else)
- Change the security group to only allow SHH from your IP
- Name and download the keypair and move it to your
~/.ssh
directory - SSH into your instance by navigating to connect and copy and pasting the SSH command given in the modal, ex:
ssh -i "name_of_my_key_pair.pem" ubuntu@ec2-54-84-207-182.compute-1.amazonaws.com
- You'll likely need to change the permission settings for that file. To do this you can use the command on the same modal where you got the SHH command. Ex:
chmod 400 name_of_my_key_pair.pem
- Note: code 400 means read only. Here of the chmod codes and what they mean.
- Use secure and encrypted communication (SHH), Disable root login and use Sudo
-
SSH Into Server - This really depends on what service you're using but generally you're going to SSH into the remote server via your terminal with the command
ssh root@SERVER_IP_ADDRESS
and provide the password given to you by the service (ex: Digital Ocean) -
Setup SSH Keys for root user
-
Create new user
sudo adduser deploy
- creates user & group deploy and adds user to that group. -
Add new user to sudoers -
sudo gpasswd -a demo sudo
-
Setup an SSH key for your deploy user
- On remote server:
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys
- On local machine:
ssh-keygen -y
/Users/username/.ssh/pem-name.pem
use the full path or it won't work
- copy the ssh key generated and add it to the
authorized_keys
file you just created on the remote server chmod 600 ~/.ssh/authorized_keys
- Note: refer to this if having troubleexit
to logout of deploy user
- On remote server:
-
Disable password login, disable root login, and change the ssh port by editing
/etc/ssh/sshd_config
to:port 2257 PermitRootLogin no PasswordAuthentication no
Note: if you change the port and are using AWS, you'll need to update your server's security group to allow inbound connections from that port.
-
- Setup Firewall
sudo ufw allow 2286/tcp
- setup basic firewall by telling it to allow the SSH port we configured- open up ports for whatever else you need
- Note: don't really need this on AWS becuase you have security groups.
- Configure Timezone & Network Time Protocol (NTP) Set the localization settings for your server and configure the Network Time Protocol (NTP) synchronization.
sudo dpkg-reconfigure tzdata
and then select the timezonesudo apt-get update
&sudo apt-get install ntp
- installs ntp and keeps server in sync with NPT
- Create a Swap File
sudo fallocate -l 1G /swapfile
- use fallocate to generate a swap file of the specified size for us. Generally the size or double the RAM on the server.sudo chmod 600 /swapfile
- restrict accesssudo mkswap /swapfile
tells system to format it as a swapsudo swapon /swapfile
tells system to use itsudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
tells system to use it on server boot
- Other Stuff
-
apt-get install fail2ban
installs fail2ban which protects your server from brute force attacks -
Enable Auto Updates
-
sudo apt-get install unattended-upgrades
-
vim /etc/apt/apt.conf.d/10periodic
and update file to:APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
The above configuration updates the package list, downloads, and installs available upgrades every day. The local download archive is cleaned every week.
-
vim /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins { "Ubuntu xenial-security"; // "Ubuntu xenial-updates"; };
-
-
Install Logwatch To Keep An Eye On Things
-
apt-get install logwatch
-
sudo vim /etc/cron.daily/00logwatch
-
Add this to file:
/usr/sbin/logwatch --output mail --mailto test@gmail.com --detail high
-
-
Make sure log files are populated and rotated.