rules & guidelines for initial secure server setup

Firewall

Create a firewall on the host platform and assign it to the instance or with UFW

Configure it to allow these rules for incoming traffic

Configure it to allow these rules for incoming traffic

SSH How to create SSH KEYS

Disable remote root login to the server. Enforce SSH key-only access to the server. Modify the default SSH port.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Add these

PermitRootLogin no
MaxAuthTries 3
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey

Port <port>

Save and exit, then restart the SSH service:

sudo systemctl restart sshd OR service ssh restart

Users

  Create the user (replace `username` with your desired username):

sudo useradd -m -d /home/username -s /bin/bash username

Set the password, you can set this as an empty string

passwd username

You can copy the user’s public key into the authorized_keys file

curl <https://github.com/><username>.keys > /home/username/.ssh/authorized_keys

or send the public key to the server with ssh-copy-id

sh-copy-id [email protected]

Set correct permissions

# ensure the directory ir owned by the new user
chown -R username:username /home/username/.ssh

# make sure only the new user has permissions
chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys

Add the user to the sudo group:

sudo usermod -aG sudo username

Verify the user has sudo access:

su - username
sudo -v

Permissions

 Assign the new user appropriate permissions

Add the user to the www-data group (Nginx group):

sudo usermod -aG www-data username

Change ownership of Nginx configuration files and /var/www/html to the www-data group:

sudo chown -R root:www-data /etc/nginx
sudo chown -R www-data:www-data /var/www/html

Set appropriate permissions:

sudo chmod -R g+rw /etc/nginx
sudo chmod -R g+rw /var/www/html

Database