How to configure open-source Linux based virtual machine in any cloud computing.
Linux based virtual machines are powering most of the world cloud computing servers. It is among the most preferred open-source server OS available in the market. Learning to set up and configure one in the cloud on your own saves a ton of money in the long run.
Since Linux OS is open-source, you have multiple distributions available in the market. Numerous companies have taken this base version and further developed to add features. And most of them are available in the market again as open-source.
These distributions include Ubuntu, CentOS, CoreOS, Rancher, FreeBSD. Almost every cloud computing companies make these version of server available for your selection.
Initial setup and necessary configuration
When you create the server and install the OS first time, that installation configures the system with default parameters. For additional security and allow authorized access to the server, we need to execute some further administrative updates to this default setup.
Why do we need to create a regular user for server administration?
The system, by default, has this root user with a heightened access privilege. And root user is part of the sudo administrative user group, with unlimited access privilege to do pretty much anything. Hence, it's not advisable to use the root user for carrying out day-to-day administrative operations.
That's why it's necessary to create a regular user with the reduced scope of access.
Switching from Root to Regular user
First, log in to the server.
Here, I am assuming that you have created a server with the default password. And SSH key-based authentication is not enabled. Then you need the default password.
If not, and you have added SSH key into the server already, then you required to login with private SSH key and passphrase (if included).
$ ssh root@your_vps_ip
Expect multiple host authenticity warnings and accept it. Then you will be asked to provide the root password to log in. In case of SSH key with a passphrase, then enter your passphrase when prompted.
Assuming that this is the first time access with password-based login, then you are prompted with the change of password. Go ahead and choose a strong password to protect your server from unauthorized access.
Create a new user
With this below command, you can create a new user called lens in the server.
The system will prompt with the list of questions, and you can provide answers accordingly. One of them is the account password, and It's optional whether you want to protect with additional password authentication.
If you want to skip any questions, just press ENTER to move on.
$ sudo adduser lens
Why do we have to add administrative privileges?
In everyday server maintenance, some tasks required administrative level authorization to carry out. And to satisfy that, we can extend this regular user with the sudo user group.
But the significant difference is while regular users are asking the server to do such things, any server command needs prefixing with sudo. To inform that task needs to be executed with administrative privileges.
Add administrative privileges
While you logged in as root, run this below command to include user lens with sudo user group.
$ usermod -aG sudo lens
Establish the server firewall
Linux servers have UFW firewall builtin. By using that, we can limit the type of connections allowed from any external system.
In this example, we have talked about accessing SSH based server connection. And assuming you are creating this server to host internet based web application, then we can add HTTP and HTTPS protocols to this firewall.
With this configuration in place, the server will not allow any other type of connection from outside. And provide one additional level of security beyond access control.
UFW configuration happens at the server level applications. So, any applications installed inside the server can register their firewall profile. In our example, we have identified SSHClient and HTTP module.
To include them, execute the following commands.
First, see the list of existing applications.
$ ufw app list
Output list all available application inside UFW
Cli outputOpenSSH HTTP
Assuming that output has not shown any applications, then we can allow and enable access to the server from SSH and HTTP connections by executing the below commands.
$ ufw allow OpenSSH and Nginx HTTP $ ufw enable
After this, you can check the firewall status by typing.
$ ufw status
You will see the command line interface printing something like below
Cli OutputStatus: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)
With this output displaying in the CLI, you can be sure that the system is currently blocking anything other than SSH, and HTTP protocols attempt to connect the server.
In case you require enabling new applications with a different type of connection, then you have to configure the UFW profile for them as per requirement.
Enabling SSH access for the regular user lens
Which one is better, Password or SSH Key-based authentication?
To enhance server security, highly recommended doing away with password only remote access to the server.
Extending your public SSH Key to the regular user account is easy to set up with a single command.
$ rsync --archive --chown=lens:lens ~/.ssh /home/lenl
In this above command, assumed that you have already published the SSH key attached to the root user account. In that case, this command will simply copy the whole /.ssh directory and modify it to work with your local user account.
Log in to the server via the server.
Now, from your command-line interface, type this command.
$ ssh -i /path/to/private/key lens@your_vsp_ip
This above command has the path to your SSH private key in your computer for authentication. You will be logged in immediately if there is no passphrase is required. Otherwise, prompt will come in the cli and provide a password associated with SSH Key.
With that, we have come to the end of this article scope. However, if you look at the end to end initial server setup, and before server ready for hosing web applications, few more aspects to cover.
High level Step-by-step activities to create Linux server
- Generate SSH Keys using Putty clienta.
1.1. Public and Private keys
- Create virtual private server with embedded SSH key
- Install Nginx and configure basic setup
- Configure SSL with Nginx
- Setup DNS for custom domain using prefered name server
So far, we have covered step number one and two. You can access other relevant content here.