Guidelines:SecureOperation: Difference between revisions
| Line 3: | Line 3: | ||
The following steps are recommended to secure your Eden server back-end. | The following steps are recommended to secure your Eden server back-end. | ||
Note: this configuration is standard on many clouds, e.g. AWS EC2, so you do not need to do this manually. Check with your cloud service provider for details. | |||
=== Unprivileged Account === | === Unprivileged Account === | ||
Revision as of 16:32, 2 February 2026
Secure Server Operation
The following steps are recommended to secure your Eden server back-end.
Note: this configuration is standard on many clouds, e.g. AWS EC2, so you do not need to do this manually. Check with your cloud service provider for details.
Unprivileged Account
You should use an unprivileged user account for SSH login. To do so, login as root and create a new user, e.g. "serveradmin":
adduser serveradmin
Enter a password for the new account when prompted for, and provide additional information as required.
To permit the new user to sudo without password, edit the sudoers configuration file using the command visudo. Add the following lines at the end of the file:
# User rules for serveradmin
serveradmin ALL=(ALL) NOPASSWD:ALL
Login to the server using the new account and password, and verify that sudo is working as expected:
sudo su -
After that, you should be root.
Key-based Login
You should use RSA keys for SSH login instead of passwords. To do so, generate a key pair on your local machine:
ssh-keygen -t rsa -m PEM -b 4096 -f serveradmin -C "serveradmin"
Choose a passphrase for the private key when prompted (for purposes of script automation, e.g. edenctl, leave the passphrase empty).
Install the public key on the server:
cat serveradmin.pub | ssh serveradmin@[server-public-ip] "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
...replacing [server-public-ip] with the public IP address of the server. You will be prompted for the password of the serveradmin user.
Next, login to the server using the newly installed key:
ssh -i serveradmin serveradmin@[server-public-up]
...to verify everything is working as expected.
You can repeat this process for a second key pair, as/if required, e.g. for a representative or as backup key. Make sure that all private keys are securely stored, and protected by passphrases.
Disable Root Login and Password Authentication
If you are not logged-in as serveradmin yet, login now (using the private key):
ssh -i serveradmin serveradmin@[server-public-up]
Make yourself root:
sudo su -
...and edit the /etc/ssh/sshd_config file. Uncomment or add the following lines:
PermitRootLogin no
PasswordAuthentication no
After that, reload the sshd service:
systemctl reload sshd
Now, you can no longer SSH-login as root, but only as serveradmin - and you must use a private key, as passwords will no longer be accepted.