Best-practice for authentication after creating a new Linux server

Brief steps

This article helps you change the following items if your cloud provider didn't do that for you.

• Check disk information
• Delete other accounts.
• Create your own account instead of root.
• Disable password login and force to use SSH key to log in.
• Disable root account.
• Enable sudo without password.
• Enable firewall.
• Ajust timezone.
• Enable BBR

Before starting the process, make sure you have a valid SSH key-pair locally.

You can run the following command on your dev box to generate a new SSH key-pair:

ssh-keygen

Check connection and OS

Fist, connect to the server. (With root password).

you@local 
$ ssh root@server

Check the disk configuration:

sudo fdisk -l # Check connected disks.
sudo lsblk # Check disk mountings.
sudo df -Th # Check partition usage.

Check installed RAM:

sudo free -h

You can view other accounts via:

$ ls /home
$ cat /etc/passwd | grep -v nologin

Change hostname

Change computer name first:

sudo hostnamectl set-hostname aiursoftcn

Create a new user for you

Add a new user for you. (With password)

root@server
$ sudo adduser anduin
Adding user `anduin' ...
Adding new group `anduin' (1000) ...
Adding new user `anduin' (1000) with group `anduin' ...
Creating home directory `/home/anduin' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for anduin
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y

Give the user root privilege.

root@server
$ usermod -aG sudo anduin

Test the new user's privilege.

root@server
$ su - anduin

anduin@server
$ sudo ls
[password]
	

Copy SSH public key

Back to your local machine. Copy the SSH public key to your server.

you@local 
$ ssh-copy-id anduin@server
anduin@server's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'anduin@server'"
and check to make sure that only the key(s) you wanted were added.

And test if you can connect to it.

you@local 
$ ssh anduin@server

Ensure SSH best practice

Now disable root sign in and password authentication.

anduin@server
$ sudo vim /etc/ssh/sshd_config

Change: PermitRootLogin to no to disable the root user login. And change PasswordAuthentication  to no to prevent the password login.

(Dangerous, optional) Skip password for your acction

To skip password for your account, consider execute:

anduin@server
$ sudo visudo

And add the following line at the end of the file:

anduin ALL=(ALL) NOPASSWD:ALL
	

This might be dangerous that some other program running as you may also execute sudo to get root permission.

Delete other users and reboot

Don't forget to delete the obsolete user if the provider created it. (Don't delete the root user)

anduin@server
$ sudo deluser default

Reboot the server.

anduin@server
$ sudo reboot

And now the server can only access from you and can not log it in through password or the root account.

Enable Firewall (Optional)

If you are using the cloud server provider's firewall, do open the following ports:

22 (For SSH management)
Your other business ports. Like 80, 443, 

The configuration might looks like this:

If you are using firewall software like ufw, do the following practice:

$ sudo ufw allow 22
$ sudo ufw allow 80 # Your other business ports.
$ sudo ufw enable

Enable BBR (Optional)

Don't forget to enable BBR to speed up your server!

(Run the following command as root (You can run sudo bash first))

# 
enable_bbr_force()
{
    echo "BBR not enabled. Enabling BBR..."
    echo 'net.core.default_qdisc=fq' | tee -a /etc/sysctl.conf
    echo 'net.ipv4.tcp_congestion_control=bbr' | tee -a /etc/sysctl.conf
    sysctl -p
}
sysctl net.ipv4.tcp_available_congestion_control | grep -q bbr ||  enable_bbr_force

Change timezone

Finally, you can still do some further configuration. Like switching the timezone to UTC:

To switch to UTC, simply execute

$ sudo dpkg-reconfigure tzdata

Scroll to the bottom of the Continents list and select Etc or None of the above; in the second list, select UTC. If you prefer GMT instead of UTC, it's just above UTC in that list.

Mount /tmp as RAM

You can use sudo df -Th to verify if /tmp folder is tmpfs file system.

To mount /tmp folder as tmpfs file system, run the following command, then reboot.

(sudo cat /etc/fstab | grep -q /tmp) || (echo "Mouting tmp..." && echo "tmpfs /tmp tmpfs rw,nosuid,nodev" | sudo tee -a /etc/fstab)

Enable Auto update (Optional, dangerous)

If your server is a stateless server, or have proper backup, or you don't care about availbility, you can enable auto backup.

To enable that, first run the following command:

cd ~
touch update.sh
echo "sudo apt update && sudo DEBIAN_FRONTEND=noninteractive apt upgrade -y && sudo apt autoremove -y && sudo reboot" > ./update.sh
chmod +x ./update.sh

After that, you may see an update.sh file under your home folder.

You can configure that to run automatically.

Run:

crontab -e

Add this line (Update every day, UTC 0, China 8:00 am):

0 0 * * * /home/anduin/update.sh

Benchmark performance

To benchmark the CPU:

anduin@server
$ sudo apt install sysbench
$ sysbench cpu run --threads=64
	

Running on desktop? Don't forget these things!

If you need Chinese pinyin input, please run:

sudo apt install ibus-rime
wget https://github.com/iDvel/rime-ice/archive/refs/heads/main.zip
unzip main.zip -d rime-ice-main
mkdir -p ~/.config/ibus/rime
mv rime-ice-main/*/* ~/.config/ibus/rime/
rm -rf rime-ice-main
rm main.zip
echo "Rime configured!"

For fun, meet your religious beliefs!

And, finally, as for fun, you can do this:

$ sudo apt install neofetch -y
$ neofetch