How to Build Your First Productive, Secure Web Server
- Transfer
- Tutorial
In this guide, we will cover some of the best practices for creating your first secure server . We will step by step analyze the whole process, and as a result we will get a server that is completely ready for use in the product for your application. Of course, this is not an exhaustive guide. A secure server is a constant search for new resources and endless improvements. But with this material, you can begin to create your own infrastructure.
We will use Amazon EC2 to run the tests, but you can take Amazon LightSail, Digital Ocean, Vultr or another service. They are all configured the same way, so choose the one you like.
First, create a key pair that some hosts will need when installing the server. You can skip this and some other steps if you decide to create your own key pair when starting the server on Amazon.
We will create SSH keys using ssh-keygen.
As a result, we get two files: id_rsa and id_rsa.pub (private and public keys). Never share your private key with anyone .
You will find detailed instructions for creating keys here .
Import the newly created public key into the Amazon platform.
Install a virtual machine running Ubuntu on Amazon EC2. The setting is described in detail here :
Caution: some of the following steps may be configured on the Amazon home screen. But since this is a general guide that can be used for other services, we’ll talk about default configurations.
We turn to the virtual machine via SSH.
We write in the terminal:
Create a new user account named “wizard”:
We give the “wizard” permission to execute sudo. Open the file:
And set the contents:
Create the directories:
Copy the public key (PATH-TO-PUBLIC-KEY) and paste it into the remote instance /home/wizard/.ssh/authorized_keys. Set permissions:
We update all installed packages.
Change the SSH port from 22 to 2201. To configure the firewall (ufw, Uncomplicated Firewall, unpretentious firewall) open the file / etc / ssh / sshd_config:
and change this data:
Restarting the SSH service:
We configure the Uncomplicated Firewall (UFW) so that only incoming SSH connections (port 2201), HTTP (port 80), and NTP (port 123) are skipped.
Set UTC as the local time zone:
Select the 'None of the Above' option and again UTC.
To disable, enter:
and then add the key.
This must be done at Amazon. We set the SSH port, which we will also use on Amazon.
Now you can connect to the server on the new port as a new user:
You now have a server ready to serve your application.
We will use Amazon EC2 to run the tests, but you can take Amazon LightSail, Digital Ocean, Vultr or another service. They are all configured the same way, so choose the one you like.
Create public and private SSH keys
First, create a key pair that some hosts will need when installing the server. You can skip this and some other steps if you decide to create your own key pair when starting the server on Amazon.
We will create SSH keys using ssh-keygen.
$ ssh-keygen -t rsa -b 4096
As a result, we get two files: id_rsa and id_rsa.pub (private and public keys). Never share your private key with anyone .
You will find detailed instructions for creating keys here .
Import a public key into Amazon
Import the newly created public key into the Amazon platform.
- We go to the Amazon management console .
- Click AWS services → Compute> EC2
- Click on the left menu Network & Security → Key Pairs
- Click on “Import Key Pair” and load the public key (id_rsa.pub)
Create your own virtual machine
Install a virtual machine running Ubuntu on Amazon EC2. The setting is described in detail here :
- We go to the Amazon management console .
- Click AWS services → Compute → EC2
- Select the instance to start.
- Choose one of the images. In our case, it will be Ubuntu Server 16.04 LTS (HVM), with an SSD drive (but you can choose what suits you best).
- Choose a virtual machine (according to your needs). Click on “Review” and “Launch”.
- Open a new tab and import the created public key into Amazon.
- Here we will be asked to "Select an existing key pair or create a new key pair". Click "Choose an existing key pair". Select the previously downloaded key.
- Click on "Launch Instances".
- Click on the link of the virtual machine that we just created.
Caution: some of the following steps may be configured on the Amazon home screen. But since this is a general guide that can be used for other services, we’ll talk about default configurations.
Connect to the new server
We turn to the virtual machine via SSH.
We write in the terminal:
$ ssh @ -p 22 -i
: Linux system user. In the case of Amazon, use ubuntu, on other services - root
: IP address of the virtual machine we created. This is the “Public DNS (IPv4)” field in the “Description” tab of our server.
: full path to the previously generated private key (e.g. /Users/flavio/.ssh/id_rsa).-i
: You can skip this if you added the key to your SSH agent.
We give access to a new user
Create a new user account named “wizard”:
$ sudo adduser wizard
We give the “wizard” permission to execute sudo. Open the file:
$ sudo nano /etc/sudoers.d/wizard
And set the contents:
wizard ALL=(ALL) NOPASSWD:ALL
Create the directories:
$ mkdir /home/wizard/.ssh
# create authorized_keys file and copy your public key here
$ nano /home/wizard/.ssh/authorized_keys
$ chown wizard /home/wizard/.ssh
$ chown wizard /home/wizard/.ssh/authorized_keys
Copy the public key (PATH-TO-PUBLIC-KEY) and paste it into the remote instance /home/wizard/.ssh/authorized_keys. Set permissions:
$ chmod 700 /home/wizard/.ssh
$ chmod 600 /home/wizard/.ssh/authorized_keys
We provide security
We update all installed packages.
$ sudo apt-get update
$ sudo apt-get upgrade
Change the SSH port from 22 to 2201. To configure the firewall (ufw, Uncomplicated Firewall, unpretentious firewall) open the file / etc / ssh / sshd_config:
$ sudo nano /etc/ssh/sshd_config
and change this data:
Port 2201
PermitRootLogin no
PasswordAuthentication no
# add this to avoid problem with multiple sshd processes
ClientAliveInterval 600
ClientAliveCountMax 3
Restarting the SSH service:
$ sudo service ssh restart
We configure the Uncomplicated Firewall (UFW) so that only incoming SSH connections (port 2201), HTTP (port 80), and NTP (port 123) are skipped.
# close all incoming ports
$ sudo ufw default deny incoming
# open all outgoing ports
$ sudo ufw default allow outgoing
# open ssh port
$ sudo ufw allow 2201/tcp
# open http port
$ sudo ufw allow 80/tcp
# open ntp port : to sync the clock of your machine
$ sudo ufw allow 123/udp
# turn on firewall
$ sudo ufw enable
Configure the server clock
Set UTC as the local time zone:
$ sudo dpkg-reconfigure tzdata
Select the 'None of the Above' option and again UTC.
We disconnect and add our key to the SSH agent
To disable, enter:
$ exit
and then add the key.
Add port permissions to Amazon
This must be done at Amazon. We set the SSH port, which we will also use on Amazon.
- We go to the Amazon management console .
- Click AWS services> Compute> EC2
- Click on the left menu Network & Security → Security Groups
- We select the security group related to our virtual machine.
- Click Action> Edit Inbound Rules
- Click “Add Rule” and set: Type: Custom TCP, Port Range: 2201, Source: 0.0.0.0/0 and Description: SSH
Connect with new data
Now you can connect to the server on the new port as a new user:
$ ssh wizard@ -p 2201 -i
You now have a server ready to serve your application.