First of all not being able to connect to your Ubuntu server via SSH as root is ‘by design’, and it’s a perfectly good security measure. I do find it interesting that every hosting company I ever used, spin up a new machine and then email me the root password and they’ve enabled it anyway?
I needed to enable this recently and the internet is full of posts saying ‘just edit the config file, and restart the service’. What they don’t tell you is that the root user is disabled by default, even with a valid password, IT STILL WONT WORK!
Solution
Connect to your Ubuntu machine, and reset the root user password, (so you know what it is).
[box]sudo passwd root[/box]
As shown you will need to enter your password first, then enter and confirm a new root password.
Then ‘unlock the root account’;
[box]sudo passwd -u root[/box]
Note: If you ever want to ‘lock‘ it again, use (sudo passwd -l root).
Now you can edit the sshd config file;
[box]sudo nano /etc/ssh/sshd_config[/box]
Locate the line ‘PermitRootLogin’ and change it so it ONLY says yes (as below).
Note: Here I’m also changing the SSH port (to 2223 in this example, from the default port of 22), I usually change the default SSH port.
Now finally, restart the SSH Daemon, (that always looks like it’s spelled incorrectly!) With the following command;
[box]sudo service sshd restart[/box]
Don’t forget if, (like me) you changed the port, you will need to specify that in your client connection software (i.e. PuTTy or RoyalTSX).
Related Articles, References, Credits, or External Links
At the time of writing this site is running on CentOS7 LAMP (Linux Apache MySQL and PHP). Well I’m actually using MariaDB not MySQL as it’s ‘supposed’ to be a little faster, but they are similar enough to be accepted. I’m planning to migrate to Ubuntu 17 LEMP (Linux ‘EnginX’ MySQL and PHP) again with MariaDB. As the site is getting more traffic I want to utilise the better performance of nginx (I know I called it EnginX above but LNMP stack doesn’t sound so good, and nginx is ‘pronounced ‘engine x’).
So the following series of articles will be how to install nginx, MariaDB, PHP and WordPress.
Solution
Installing Linux
You have essentially two choices, do what most people do and go to a hosting company and rent a VPS, (virtual private server) for a monthly fee. Then when you set it up you can select what flavour of Linux you require, press go, and by the time you have had a coffee, they will have emailed you the IP and logon details, and Linux is already installed for you. You can of course install linux on your own server, and as long as you can make it publicly available use that.
The main difference is, if your hosting company build it for you, the root user will be enabled and you will connect with the root user and password. If you build your own server you will connect with user account and root will be disabled. If you know nothing about Linux that means to execute any system level commands you need to prefix them with ‘sudo’ (or type su and enter the root password). If you are logged in as root and use sudo it does not make any difference so I will prefix all the commands I use below with sudo to make things easier, just remember the first time you use sudo it will ask for your password again.
Why Ubuntu? Well I use CentOS presently, but while doing research there was little information on getting nginx and PHP7 running on CentOS, but there was for Ubuntu that’s the only reason I’m switching OS.
Update The Server
It might have been built from an image, but that does not mean that the image was up to date, thankfully that’s simple to do, run the following command to see if there’s any updates.
[box]sudo apt update[/box]
In my example theres two updates, I can upgrade to them with the following command, (you may be asked to answer ‘y’ for yes);
[box]sudo apt upgrade[/box]
Change the Linux SSH Port
Note: If you built the server, you may need to install openssh server.
[box]sudo apt-get install openssh-server[/box]
I’ve had servers compromised in the past so let’s start with some basic security, I always change the default SSH port, in this example I’ll use 2223 (instead of the default SSH port of 22).
Edit the SSH config file;
[box]sudo nano /etc/ssh/sshd_config[/box]
Uncomment and change the Port number to something other than 22, (make it above 1024 to be on the safe side, I’m using 2223).
Note: If you built your own server, and you are allowing root access to SSH you may want to see the following article;
Traditionally Linux uses iptables, (or FirewallD for CentOS.) I like iptables, because like all things Linux I worked out how to set it up, and wrote it down. Ubuntu has a ‘front-end’ to iptables thats still command driven, it’s called UFW (uncomplicated firewall). Which I didn’t want to learn about because I use iptables! But in all honestly UFW is so simple it’s painfully easy.
I want to allow TCP 80 (http), TCP 443 (https), and TCP 2223 (for my SSH server). And that’s it, block everything else incoming, allow the server to speak out, and secure the server.
Note: If it looks like it’s frozen, press Ctrl+C to get the cursor back
Set MariaDB to start when the server restarts;
[box]systemctl enable mariadb[/box]
Secure MariaDB: At the moment MariaDB will have a blank root password, (it has its own root user). So to secure it you simply run;
[box]sudo mysql_secure_installation[/box]
Note: It immediately asks for a password, (it will be blank so hit (Enter},) answer ‘Y’ to set a root password, set a fresh one (you will need it in a minute, so remember what it is!) Then accept all the defaults by just pressing {Enter}.
Create Your WordPress Database
WordPress needs a database, to get WordPress talking to MariaDB (or MySQL) you need three things;
A database name.
A username to access the database.
A password for that user.
So in the following example I will use;
Database Name: PETESDATABASE
Username: petesuser
Password: P@ssword12345
Execute the following commands one by one;
[box]
sudo mysql -u root -p
{Enter the root password you just set for MariaDB}
CREATE DATABASE PETESDATABASE;
CREATE USER 'petesuser'@'localhost' IDENTIFIED BY 'P@ssword12345';
GRANT ALL ON PETESDATABASE.* TO 'petesuser'@'localhost' IDENTIFIED BY 'P@ssword12345';
FLUSH PRIVILEGES;
exit
The following is by no means an extensive list of everything that can be done. It’s just a run though of what I would consider ‘good practice’.
Solution
Create a user for SSH and Remove Shell access for the ‘root’ user.
1. Connect to the server via SSH or open a terminal session and su to root. Create a new user then set and confirm the new users password.
[box] useradd {username}
passwd {username} [/box]
2. Test access for your new user.
3. To make changes to shell access, you need to edit the sshd_config file, to do that I’m using the nano editor.
Note: If you do not have nano installed, run ‘yum install nano’.
[box] nano /etc/ssh/sshd_config[/box]
4. Locate PermitRootLogin and change it to no.
5. Locate the PermitRootLogin without-password”. line and comment it out (prefix it with a hash #, (or pound if you’re American).
[box] # PermitRootLogin without-password”.[/box]
Limit SSH / Shell access to particular User(s)
6. Add the following line to allow the user you create above only.
[box] AllowUsers {username}[/box]
Note: If you had multiple users, you can add them separated by a space.
Disable SSH Version 1 and Force SSH Version2
7. Ensure Protocol 2 is NOT hashed out and activation of protocol 1IS hashed out.
Change the SSH / shell Port Number
8. SSH by default runs over TCP port 22, this is a well know port to advertise to the outside world, to change it (in this case to 2200), change the existing Port 22 line;
[box] Port 2200[/box]
Note: There is not hard and fast rule on what port to use, but for production, I would suggest a random number above 1024 but below 65535.
9. At this point close nano and save the changes, (press CTRL+W and Y to save the changes).
10. The changes will not take effect until after you have restarted the SSH service/daemon.
[box] service sshd restart[/box]
11. At this point you can check that the root user no longer has SSH / Shell access.