How to setup your Cloud Server securely
Updated: Nov 23, 2022
To run any node i.e. Cardano node or Ethereum validator on cloud server you first need to setup the server securely. To setup the server securely these are the following seven settings I have sorted out and found to be the most important settings.
I am having double boot operating system with Ubuntu 20.04LTS and Microsoft Windows 10 Pro 64 Bit as my operating systems. I prefer Ubuntu as my preferred operating system for running the node server. For this setup guide I will use Windows PowerShell to access the cloud server running on Ubuntu 20.04 LTS. I use my local Ubuntu OS to access only my Cardano nodes.
First go to any cloud service provider and create an instance/server. Then from your local computer use SSH client to connect your remote cloud server. The default login/username is always 'root'. At this stage you also must have root password to login to your remote server. So the CLI format to connect your remote server is:
ssh root@<ip address of your remote server>
PS C:\WINDOWS\System32> ssh email@example.com
You will see the following message once while connecting to your remote server. Type yes and press enter to accept it.
Server IP address is added to the list of known host. Now enter password to get access to your remote cloud server.
So now we are logged in to our remote server with root password. This method of accessing server is not secure and we need to change it by disabling root login and password that we will see later.
Now among the seven layers of security first we will see how to create a new user.
First check user login with command 'whoami'.
So we are logged in as user 'root'. Now let's create a new user as our first layer of security.
root@vmi547465:~# adduser rocket
Adding user 'rocket' ...
Adding new group 'rocket' (1000) ...
Adding new user 'rocket' (1000) with group 'rocket' ...
Creating home directory '/home/rocket' ...
Copying files from '/etc/skel' ...
Now here since I re-created user 'rocket' after deleting it, so I got the following mesage:
The home directory '/home/rocket' already exists. Not copying from '/etc/skel'.
If you are creating new user for the first time then you won't see the above message.
Now create password for the new user rocket.
Retype new password:
passwd: password updated successfully
Changing the user information for rocket
Enter the new value, or press ENTER for the default
Room Number :
Work Phone :
Home Phone :
Now if the information provided is correct then accept it with 'y' and press enter.
So now we have created the user 'rocket' with required information. Now let's give root privileges to the user 'rocket' with the following command:
root@vmi547465:~# usermod -aG sudo rocket
Now let's switch to new user 'rocket' with the command:
root@vmi547465:~# sudo su - rocket
root@vmi547465: $ whoami
Logged in as user 'rocket', now let's check if root privileges is given to user 'rocket' or not with the following command:
root@vmi547465: $ sudo whoami
[sudo] password for rocket:
Now logged in as user 'rocket' let's check all the files/folder including hidden.
rocket@vmi547465: $ ls -a
.bash_history .bash_layout .bashrc .cache .local .profile .sudo_as_admin_successful
You can see that their is no folder names '.ssh'. We need to create '.ssh' folder under user 'rocket' to keep the rsa public key.
First we need to create rsa key pair (public/private) on our local computer. The necessary steps are on the documentation provided below.
The steps involved are as follows:
Open windows PowerShell as admin.
PS C:\WINDOWS\system32> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\anupa/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\anupa/.ssh/id_rsa.
Your public key has been saved in C:\Users\anupa/.ssh/id_rsa.pub.
Here you must note two important things. You must not change the default path for saving the rsa key pair. '.ssh' folder will be automatically created under the user. Also you must create passphrase for your rsa key pair. In windows PowerShell passphrase is asked every time you access your remote server. But in Ubuntu passphrase is asked only once for the first time when you access your remote server.
Now let's check the rsa public key on your local computer with command:
PS C:\WINDOWS\system32> cat ~/.ssh/id_rsa.pub
The output will be your rsa public key displayed on screen.
This rsa public key displayed on your local computer also need to be copied to your remote computer to establish a secure connection via ssh. There are various methods to do so:
1) Copying Public Key Using ssh-copy-id
2) Copying Public Key Using SSH
3) Copying Public Key Manually
Windows PowerShell does not support all the commands. Methods 1 and 3 may not work on PowerShell but it will definitely work on Ubuntu. Here we will be using method 2 on PowerShell. For details on all the methods you can check the tutorial here.
So by method 2 use the following command on your local computer to copy the rsa public key to your remote computer:
PS C:\WINDOWS\system32> cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
Enter your username and remote server ip address on 'username@remote_host'. Here we use 'firstname.lastname@example.org'