Guidelines:SecureOperation: Difference between revisions
No edit summary |
|||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Guidelines:Deployment|All Deployment Guidelines]] | |||
= Secure Server Operation = | |||
The following steps are recommended to secure your Eden server back-end under Debian/Linux. | |||
'''''Note:''' this configuration is standard on many clouds, e.g. AWS EC2, so you do not need to do this manually. Check with your cloud service provider for details.'' | |||
You should use an unprivileged user account for SSH login. To do so, login as root and create a new user, e.g. " | == Unprivileged Account == | ||
You should use an unprivileged user account for SSH login. To do so, login as root and create a new user, e.g. "serveradm": | |||
<code> | <code> | ||
adduser | adduser serveradm | ||
</code> | </code> | ||
| Line 18: | Line 20: | ||
<syntaxhighlight lang="bash" line> | <syntaxhighlight lang="bash" line> | ||
# User rules for | # User rules for serveradm | ||
serveradm ALL=(ALL) NOPASSWD:ALL | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 30: | Line 32: | ||
After that, you should be ''root''. | After that, you should be ''root''. | ||
== Key-based Login == | |||
You should use RSA keys for SSH login instead of passwords. To do so, generate a key pair on your local machine: | You should use RSA keys for SSH login instead of passwords. To do so, generate a key pair on your local machine: | ||
<code> | <code> | ||
ssh-keygen -t rsa -m PEM -b 4096 -f | ssh-keygen -t rsa -m PEM -b 4096 -f serveradm -C "serveradm" | ||
</code> | </code> | ||
| Line 43: | Line 45: | ||
<code> | <code> | ||
cat | cat serveradm.pub | ssh serveradm@[server-public-ip] "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys" | ||
</code> | </code> | ||
...replacing [server-public-ip] with the public IP address of the server. You will be prompted for the password of the '' | ...replacing [server-public-ip] with the public IP address of the server. You will be prompted for the password of the ''serveradm'' user. | ||
Next, login to the server using the newly installed key: | Next, login to the server using the newly installed key: | ||
<code> | <code> | ||
ssh -i | ssh -i serveradm serveradm@[server-public-up] | ||
</code> | </code> | ||
| Line 58: | Line 60: | ||
You can repeat this process for a second key pair, as/if required, e.g. for a representative or as backup key. Make sure that all private keys are securely stored, and protected by passphrases. | You can repeat this process for a second key pair, as/if required, e.g. for a representative or as backup key. Make sure that all private keys are securely stored, and protected by passphrases. | ||
== Disable Root Login and Password Authentication == | |||
If you are not logged-in as '' | If you are not logged-in as ''serveradm'' yet, login now (using the private key): | ||
<code> | <code> | ||
ssh -i | ssh -i serveradm serveradm@[server-public-up] | ||
</code> | </code> | ||
| Line 85: | Line 87: | ||
</code> | </code> | ||
Now, you can no longer SSH-login as ''root'', but only as '' | Now, you can no longer SSH-login as ''root'', but only as ''serveradm'' - and you must use a private key, as passwords will no longer be accepted. | ||
Latest revision as of 19:42, 2 February 2026
Secure Server Operation
The following steps are recommended to secure your Eden server back-end under Debian/Linux.
Note: this configuration is standard on many clouds, e.g. AWS EC2, so you do not need to do this manually. Check with your cloud service provider for details.
Unprivileged Account
You should use an unprivileged user account for SSH login. To do so, login as root and create a new user, e.g. "serveradm":
adduser serveradm
Enter a password for the new account when prompted for, and provide additional information as required.
To permit the new user to sudo without password, edit the sudoers configuration file using the command visudo. Add the following lines at the end of the file:
# User rules for serveradm
serveradm ALL=(ALL) NOPASSWD:ALL
Login to the server using the new account and password, and verify that sudo is working as expected:
sudo su -
After that, you should be root.
Key-based Login
You should use RSA keys for SSH login instead of passwords. To do so, generate a key pair on your local machine:
ssh-keygen -t rsa -m PEM -b 4096 -f serveradm -C "serveradm"
Choose a passphrase for the private key when prompted (for purposes of script automation, e.g. edenctl, leave the passphrase empty).
Install the public key on the server:
cat serveradm.pub | ssh serveradm@[server-public-ip] "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
...replacing [server-public-ip] with the public IP address of the server. You will be prompted for the password of the serveradm user.
Next, login to the server using the newly installed key:
ssh -i serveradm serveradm@[server-public-up]
...to verify everything is working as expected.
You can repeat this process for a second key pair, as/if required, e.g. for a representative or as backup key. Make sure that all private keys are securely stored, and protected by passphrases.
Disable Root Login and Password Authentication
If you are not logged-in as serveradm yet, login now (using the private key):
ssh -i serveradm serveradm@[server-public-up]
Make yourself root:
sudo su -
...and edit the /etc/ssh/sshd_config file. Uncomment or add the following lines:
PermitRootLogin no
PasswordAuthentication no
After that, reload the sshd service:
systemctl reload sshd
Now, you can no longer SSH-login as root, but only as serveradm - and you must use a private key, as passwords will no longer be accepted.