Dev Site - Arch Linux configuration and extra security

Security

Creating a new user

The first thing you should do with a new Linux web server is create a user who can use sudo and disable logins with root. With root being the default user, and the one with the most access, it is a prime target for any attackers.

Creating a new user is fairly simple. You can follow the Arch Linux Wiki’s Users and groups page, or use the commands below.

To add the user dylan:

# useradd -m -G wheel -s /bin/bash dylan

The parameters are:

-m: Create a home directory

-G: Add user to additional groups (the “wheel” group, which we will use with sudo later). Multiple groups can be specified by comma separating them, without spaces

-s: Login shell, I am using the default /bin/bash

Now you need to set the password. Simply use:

# passwd dylan

And follow the prompts.

Copying the SSH key

To get our SSH key working with your new user, you need to copy the one already set up for root into your new user. You can do this by running the following commands:

# mkdir /home/dylan/.ssh/
# chown dylan /home/dylan/.ssh/
# cp ~/.ssh/authorized_keys /home/dylan/.ssh/
# chown dylan /home/dylan/.ssh/authorized_keys

These commands:

  • Create the SSH directory for dylan, using mkdir
  • Make sure dylan owns the SSH directory, using chown
  • Copy the authorized_keys file (containing our public key) into dylan’s SSH folder, using cp
  • Make sure dylan owns the authorized_keys file, again using chown

You should now be able to log into your new account (instead of root) using PuTTY, with the same configuration we set up last time.

Installing and configuring sudo

Before we can use our fancy new account, we need to get sudo installed and set up. This way, we can use our account to configure the system instead of root.

Again, you can read the Sudo page on the Arch Linux Wiki, or follow the commands below.

More than likely, sudo is already installed. If not, just install it using pacman:

# pacman -S sudo

To configure sudo, you’ll need to use the visudo command. This opens up the sudo configuration file in vi, and checks that you haven’t made any mistakes when saving it. You should always use visudo, do not edit the sudoers file by hand.

# visudo

If you do not want to use vi, then review the Wiki page to see how to set up a different editor.

Once in the sudoers file, search for wheel and uncomment the first line, which will allow any member of the wheel group to execute any command:

That’s it. Then just save and quit.

Now you should be able to log into your account and run any command using sudo.

We will use our new account from here on out.

(Note, I am going to use Vim from now on, you can use whatever editor you would like)

Disabling password only logins via SSH

By default, users can login through SSH with either a key or password. If the key fails, or you do not provide one, the system will happily let you enter your password to login:

We want every user logging in to provide their key, so we are going to completely disable password only logins.

This is very simple, just edit /etc/ssh/sshd_config and set PasswordAuthentication to no:

# sudo vim /etc/ssh/sshd_config

Once that is complete, restart the sshd daemon so that the new changes are picked up:

# sudo systemctl restart sshd

Now if you try login without your key, it will fail:

Disabling root logins via SSH

We have our new account set up with the required permissions, so now it is finally time to disable the root login via SSH. This will ensure that nobody can log into root from outside.

Note that root can still be accessed through the Digital Ocean console, in case you need it.

This is similar to disabling password only logins, you need to edit /etc/ssh/sshd_config and set PermitRootLogin to no:

# sudo vim /etc/ssh/sshd_config

Now just restart the sshd daemon again:

# sudo systemctl restart sshd

And root logins are disabled! Even if you have the key, SSH will refuse to connect:

Changing the SSH port

This step is really not necessary, but I like to do it anyway. You can change the default SSH port from 22 to anything else by editing the sshd_config file again:

# sudo vim /etc/ssh/sshd_config

Uncomment the Port option and set it to whatever you want:

Restart the sshd daemon again:

# sudo systemctl restart sshd

Now if you try to log into the server using port 22, it will refuse the connection:

Update your PuTTY configuration to use the new port, then you should be able to login just like before:

Extra configuration/packages

These steps are purely optional, but I always install the following packages on my Arch systems.

Vim

Vim is an improved version of vi, and I use it as my default editor. You can easily install it using:

# sudo pacman -S vim

Tmux

tmux is another standard package that I use a lot. It is a terminal multiplexer, which means that you can have multiple terminal windows up on one login screen.

This is super useful because you do not have to login multiple times to edit multiple files at once.

Just install it with pacman:

# sudo pacman -S tmux

The Arch Linux image that we are using does not have the UTF-8 locale set up, so you will also need to do that. Otherwise you will get the error:

tmux: need UTF-8 locale (LC_CTYPE) but have ANSI_X3.4-1968

To do this, uncomment en_US.UTF-8 UTF-8 in /etc/locale.gen (using sudo) and then run:

# sudo locale-gen

Once that is done, you can run tmux:

Yay

One last package to install, and this one is super helpful. yay allows you to easily install packages from the AUR (Arch User Repository).

It is an AUR package, so we will need to install manually.

If you do not already have git, install it:

# pacman -S git

I will just make an AUR folder in my home directory:

# mkdir ~/aur
# cd ~/aur

Then clone the repository from the AUR:

# git clone https://aur.archlinux.org/yay.git

Now just build and install the package, following the prompts as needed:

# cd yay
# makepkg -si

Once installed, you can pretty much replace any command using pacman with yay. If the package is in the AUR, it will automatically pull it from there.

You also should not use sudo with yay, as it will sudo sudo only when required.

If you want to update the system, you can just use “yay” by itself.

Yay!

Next Time

In the next article, we will set up a simple web page using nginx, then buy a domain name, and configure Let’s Encrypt.