-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinitial_server_setup
119 lines (75 loc) · 3.01 KB
/
initial_server_setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
## set timezone (ububtu)
sudo dpkg-reconfigure tzdata
####### Change root password to a strong one
passwd
###### Create a new user
adduser demo
##### Add root previlages, run this as root
gpasswd -a demo sudo
##### set vim as the default text editor
sudo update-alternatives --config editor
##### make the password not timeout so you are not annoyed
# edit /etc/sudores type:
visudo
--settings--
# Default for password prompt to stay up with no user input 0=forever
Defaults passwd_timeout=0
# Defualt for a session to remember your password 0=always 0<forever (i.e a negative number)
Defaults timestamp_timeout=-1
#### install basics
sudo apt-get install -y build-essential python-dev python-setuptools python-pip libjpeg-dev \
libtiff-dev zlib1g-dev libfreetype6-dev liblcms2-dev git
###### Add Public Key Authentication ########
1) Generate a Key Pair for authentication without password on yoour local machine
$ ssh-keygen -t rsa -b 2048 -v
Enter this command to generate 2,048 bit RSA key using verbose (questions asked during) mode,
and a public .pem X.509 certificate.
You will be asked for a file name, eg you enter hetzner
it will generate a hetzner.pub file and the hetzner file without file extension, rename it to hetzner.pem,
You will be asked to enter passphrase, ignored this option by pressing enter
2) Uploading the generated certificate from client computer to server
OPTION1
$ ssh-copy-id -i ~/hetzner.pub [email protected]
OPTION2
if you are on mac or your machine does not have ssh-copy-id
cat ~/hetzner.pub | ssh [email protected] 'cat >> ~/.ssh/authorized_keys'
OPTION3
#manually add
# switch users
su - demo
#if the .ssh directory does not exist create it and the auth file and chmod
chmod 700 ~/.ssh
chmod 600 .ssh/authorized_keys
paste public key in: ~/.ssh/authorized_keys and see something like
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAX ...
3) Test the connection
$ sudo ssh -i ~/hetzner.pem [email protected]
Should connect you without using a password, notice, that I am not using .pub but .pem now,
that is a file hetzner, that we have renamed in step 1 to hetzner.pem.
You may have to confirm the Key Pair with "yes" on the first login.
Both files were generated in step 1 using $ ssh-keygen -t rsa -b 2048 -v command,
but one is generated bwithout suffix.
#### DISABLE ROOT LOGIN
# edit
vim /etc/ssh/sshd_config
~~~~~~
Port 1234
PermitRootLogin no
AllowUsers demo
~~~~~~~~
Port 1234 causes SSH to listen on port 1234. You can use any unused port from 1 to 65535.
It's recommended to choose a privileged port (port 1-1024) which can only be used by root.
If your SSH daemon stops working for some reason,
a rogue application can't intercept the connection.
############ DEGUG SSH CONNECTION ##########
service ssh stop # will not kill existing ssh connections
/usr/sbin/sshd -d # full path to sshd executable needed, 'which sshd' can help
...debug output...
service ssh start
########### GLOSSARY ################
#login as the new user
sudo -i -u demo
OR
su - demo
#login back as root
su