Web Application Setup - Build The Server

New Ubuntu VPS Set Up

We’ve assuming we’ve created the initial droplet and that we are able to ssh as root into the box. Next steps are as follows:

Add Admin User Account

1. SSH into the droplet as root:

   Run these commands on the server

   # create your admin user
   ... adduser usrnme
   # set up ssh key
   # this was the old way:
   #   ... mkdir /home/usrnme/.ssh
   #   ... chmod 700 /home/usrnme/.ssh
   #   ... cp /root/.ssh/authorized_keys /home/usrnme/.ssh
   #   ... chown -R usrnme:usrnme /home/usrnme/.ssh/authorized_keys
   #   ... chmod 600 /home/usrnme/.ssh/authorized_keys
   # this is shorter and :
   ... rsync --archive --chown=usrnme:usrnme ~/.ssh /home/usrnme
   # add user to sudo
   ... usermod -aG sudo usrnme
   

2. Push any user config files necessary from your local computer to the new server from your development environment:

   ... cd ~
   ... scp .bash_profile usrnme.digitalocean1:/home/usrnme
   ... scp .vimrc usrnme.digitalocean1:/home/usrnme
   ... scp -r .vim usrnme.digitalocean1:/home/usrnme
   

   I like to add ssh new user up in the ~/.ssh/config file for easy reference:

   # ~/.ssh/config
   Host usrnme.digitalocean1
   HostName 142.221.8.131
       User usrnme 
   

   This saves a bit of typing and having to remember IP addresses if you don’t have your server tied to a domain:

   ... ssh usrnme.digitalocean1
   

Secure SSH Configuration

1. Log out of the server as root and log back in as your new admin user account

   We want to be sure that you can log in under the new account before the next steps.

2. Disable password authentication (enforce ssh only):

   ... sudo vi /etc/ssh/sshd_config
   

   Make sure the following directives are in place:

   PasswordAuthentication no
   PubkeyAuthentication yes
   ChallengeResponseAuthentication no
   PermitRootLogin no
   

3. Change the default ssh port:

   It is also a good security measure to change the default ssh port from 22 to something else:

   Port 999
   

   Be sure to add your port to the firewall in the next step.

4. Reload ssh daemon:

   ... sudo systemctl reload sshd
   

Set Up Firewall

1. Set up firewall

   Now we need to be sure we open the firewall for our new ssh port:

   ... sudo ufw app list
   
   ... sudo ufw allow OpenSSH
   # open the port number here:
   ... sudo ufw allow 999/tcp
   ... sudo ufw enable
   

2. Confirm Firewall Status

   Check the firewall status. You should see only OpenSSH and your new ssh port number listed:

   ... sudo ufw status
   Status: active
   
   To                         Action      From
   --                         ------      ----
   OpenSSH                    ALLOW       Anywhere
   999/tcp                    ALLOW       Anywhere
   OpenSSH (v6)               ALLOW       Anywhere (v6)
   999/tcp (v6)               ALLOW       Anywhere (v6)