Ubuntu Cheat sheet
In this section you will find my notes on setting up and securing Ubuntu 18.04. Vim knowledge is assumed.
Creating a new non-root Sudo user
It is recommended to avoid using the root user account on a regular basis as it compromises security and is risky. Instead, create a new user account and add it to the sudo group.
Add a new user
adduser xyz
Add user to sudo group
usermod -aG sudo xyz
Log in to user
su xyz
Only allow Key Authentication
Password-based authentication is susceptible to brute-force attacks. Thus, it is good practice to disable it and only allow key-based authentication.
Add Public Key to User
As mentioned, usage of the root user account should be avoided. Hence, it is advisable that you add your public key to the user account you created earlier on. It is assumed that you logged into your root account using SSH key.
- Create a
authorized_keys
file:
su xyz
cd ~
mkdir .ssh
vim .ssh/authorized_keys
- Insert your public key and save the file with
:wq!
. You can copy this from theauthorized_keys
file under the root account's directory. You can find the file using the following commands:
su root
cd ~
vim .ssh/authorized_keys
Toggle visual mode by pressing v
at the start of the line for the public key you wish to copy over. Press $
to move the cursor to the end of the line; doing so highlights the entire line. Press y
to yank (copy). Then exit the file using :q!
.
Enter the destination authorized_keys
file. Press p
to paste what you yanked.
Disable Password Authentication
As it is assumed that you logged into your root account using SSH key, this step could be unnecessary. However, do still perform a check to verify that PasswordAuthentication no
is in place.
- Open
sshd_config
with Vim:
sudo vim /etc/ssh/sshd_config
- Add
PasswordAuthentication no
. It might be commented out as#PasswordAuthentication no
or written asPasswordAuthentication yes
. If you find either, replace withPasswordAuthentication no
. Else just add it in.
Use :/PasswordAuthentication
to find #PasswordAuthentication no
.
-
Save the file with
:wq!
. -
Restart
ssh
to implement this change:
sudo systemctl restart ssh
Basic Firewall
- List application profiles registered with ufw firewall:
sudo ufw app list
You should see
Available applications:
OpenSSH
- Ensure the firewall allows SSH connections:
sudo ufw allow OpenSSH
sudo ufw enable # Enable firewall
sudo ufw status # Check if OpenSSH is allowed
You should see the following after executing sudo ufw status
:
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)