In this part,we will be looking at configuring certain users, groups and SSH (Secure Shell). Users and groups will be used to further lock down the security for SSH. Without further ado, let’s start.

Users & Groups

Users and groups that we’re are about to setup will allow us to further lock down the permissions for SSH within Amazon Linux. By default, Amazon Linux uses a user and group called ec2-user. This is a default user with high-level privileges. We need to move away from this type of generic user account and use one for ourselves. Let’s set up a system administrator user group and a user account. Throughout this series, we’ll use geoff as the user administrator account. Where geoff is specified in this series, please use your own naming convention.

sudo groupadd systemadministrator

sudo useradd geoff -g systemadministrator -d /home/geoff

Now that we’ve created our system administrator with its group we need to add a password to the geoff user account.

sudo passwd geoff

To verify geoff is in the correct groups(s) we can run the groups command.

sudo groups geoff

Editing Sudoers

Now that we’ve created a system administrator user and group, we need to add this group to the sudoers file to ensure anyone in that group can run system administrator commands. To do this we need to edit sudoers which gives you these elevated privileges.

Open the sudoers file in your text editor.

sudo vi /etc/sudoers

Scroll down in the sudoers file until you see a line like

## Allows people in group wheel to run all commands

In this section you will need to add the systemadministrator group we created earlier, giving the same permissions as it is shown for the wheel group.

%systemadministrator ALL=(ALL) ALL

Save and exit the sudoers file.

Configuring SSH (Secure Shell)

No matter if you’re renting a server from a trusted provider or you’ve installed Linux yourself, SSH will need to be configured to ensure it is more secure than it is out of the box. The main reason we need to, at least check its configuration, is SSH is a way of controlling your server or OS. If someone manages to gain access to your server or OS, and they have high enough privileges, they may be able to do damage to your server or OS. Let’s have a look at the config for SSH.

sudo vi /etc/ssh/sshd_config

Most of the settings that need to be configured are already in the configuration file, but are not enabled or are not configured correctly. The below list are the basics you need to look at configuring to ensure SSH is somewhat secure.

Port 22 #Forces to listen on a specific port
ListenAddress xxx.xxx.xxx.xxx #Forces to listen on a specific IP address
Protocol 2
ServerKeyBits 4096 #Used when generating key files
LoginGraceTime 30s #Max time when logging into your server via SSH
PermitRootLogin no #Does not allow the root user to log in via SSH
MaxAuthTries 3 #Maximum amount of login* attempts
MaxSessions 2 #Maximum amount of concurrent sessions per user
ClientAliveInterval 300 #Amount of time in seconds the server will send a null packet to the client to keep the connection alive. This is used in conjunction with ClientAliveMaxCount
ClientAliveMaxCount 1 #Amount of times the server will keep the connection alive. This is used in conjunction with ClientAliveInterval
AllowGroups systemadministrator #Allows users under the specified groups to log in to SSH
PasswordAuthentication yes #This changes the way SSH deals with logins. If set to yes you will need to use an account with a password. If no is selected, you will need to use an account with a generated key

Now we need to restart the SSH server to load the new settings that we have added/modified. This is where you find out if you have configured it correctly.

sudo service sshd restart

To see if you truly have configured the server correctly type in exit to close the SSH client and relaunch it. Make sure when you log back in you’re using the user account we’ve created.

As my server is using Amazon Linux in AWS EC2, I am using no password authentication. This means I need to generate a key for the user account geoff. To do this, I downloaded putty-gen (I grabbed this when I downloaded Putty to use as my SSH client) and generated a new key. I then imported the new key into the AWS EC2 Console. Once imported, I used the SSH console to create the authorized_keys file in /home/geoff/.ssh (I had to create the .ssh directory). I then copied the public key from the putty-gen application into the authorized_keys file. Lastly, I’ve changed the directory and file to be owned by geoff and set the correct directory and file permissions.

sudo mkdir /home/geoff/.ssh -p

sudo vi /home/geoff/.ssh/authorized_keys

sudo chown -hR geoff:systemadministrator /home/geoff/.ssh

sudo chmod 0700 /home/geoff/.ssh

sudo chmod 0600 /home/geoff/.ssh/authorized_keys

Firewall (Iptables)

Using Amazon Linux, whether in EC2 or Lightsail you shouldn’t need to configure the firewall on the OS itself. Amazon provides you with a way of doing this in their web interface when setting up an instance.

If you’re using a standard Linux OS you will need to configure the firewall yourself. For CentOS users you can use the documentation from CentOS themselves.