There are a few things you need to always remember when setting up a new Linux server. By default the root login is enabled for most systems. The best practice is to disable root login. Also, if you are transferring files via FTP, the best way to do this securely is via SFTP (not FTP). The quick difference is that FTP sends passwords/data in plain text versus encrypted text in SFTP. Let’s take a look at how to solve these issues and harden a Linux server.
When building a new Linux server, always make sure to create a root user
A root user has all the same powers as root. It’s a simple process called sudo. If your running Ubuntu as your server, then sudo is already installed on your system. Look to see if /etc/sudoers exists on your system. If it doesn’t and you are on a Debian based system, just type apt-get install sudoers to download the package.
You don’t have to restart anything to apply these changes. If you are logged in as your user and type a root command, you’ll see that you can perform root functions. Your other option is to “SU” into root. SU changes users and, if you have the root password, you can just login to the root user from the command line after you’ve logged in as your regular user.
Disable root login for the root user if your server is available to the whole internet
The root username is a given; it’s on every system. If you were to try and crack a user/password on a system, would you try to guess the user name or just use root? Well, you would use root! So the best security method to prevent this is to disable root login from SSH. This, of course, means you’ll login as your super user (user with root powers that you just created) and not the root user. There are some times you don’t want to disable root login but it’s highly recommended for public facing web servers. Another method is to disable plain text passwords for root login and just use a private SSH key to connect as the rooter user to your Linux server.
So you must disable the ability to login as the root user. How do you do this? Pretty simple! Navigate to /etc/ssh and edit sshd_config.
Navigate to #authentication and you will see PermitRootLogin yes.
Change it from yes to no.
Now you need to apply those changes by restarting the SSH service. :# /etc/init.d/ssh restart
Use SFTP – not FTP
FTP stands for file transfer protocol and SFTP stands for secure file transfer protocol. By it’s very name, SFTP already sounds more appealing than FTP. SFTP is really just an extension of SSH and they both run over the same port (port 22). SFTP works EXACTLY the same as FTP except you don’t need an FTP server installed on your server to use it. Since you already have SSH installed and running with disabled root login, you can jump right into using SFTP. So download any FTP program, personally I like to use Filezilla.
Enter your host name, your username, and password. It is the same as FTP; the only difference is in the “port” box you want to enter port 22 which is the SSH port. You might want to remember that port 21 is the FTP port.
Are you a Linux newbie? Follow step by step interactive courses to learn Linux at the Linux Academy