Back

/ 3 min read

Securing Cloud Servers

First generate an SSH key on your local machine. You can do this by running the following command:

Terminal window
ssh-keygen

Following through you will have two files, id_rsa and id_rsa.pub. The id_rsa file is your private key and should be kept secure. The id_rsa.pub file is your public key and can be shared with anyone.

It might be worth learning how SSH keys works because you will run into them not only here but many other places and services, Dealing with private github repos, using Github actions and more.

So now, you could copy the contents in the public key and then login into a cloud server. After the login You should create a new user. This is because you should not be using the root login for security reasons.

Terminal window
adduser onetimeusername

Write any name you want (something you would remmember obviously)

After creating the user, you should add the user to the sudo group. This will allow the user to run commands as root.

Terminal window
usermod -aG sudo onetimeusername

Now before switching to the new user, you should copy the public key to the new user’s home directory. You can do this by running the following command:

Terminal window
sudo nano /home/onetimeusername/.ssh/authorized_keys

onetimeusername should be replaced with the username you created

Paste the contents of the public key file into the authorized_keys file. Save and exit the file.

Now you can re-login into the server using the new user you created. You can do this by running the following command:

Terminal window
ssh onetimeusername@your_server_ip

If you have another key you can specify it with the -i flag That is incase the key does not have the default name id_rsa

You should now be logged in as the new user. You can now disable root login and password login. You can do this by running the following command:

Terminal window
sudo nano /etc/ssh/sshd_config

Find the line that says PermitRootLogin yes and change it to PermitRootLogin no.

Find the line that says PasswordAuthentication yes and change it to PasswordAuthentication no.

Save and exit the file. You can now restart the SSH service by running the following command:

Terminal window
sudo systemctl restart sshd

If this does not work, replace sshd with ssh

Now you should setup a firewall. You can do this by running the following commands:

Terminal window
sudo ufw allow OpenSSH
sudo ufw enable

You can check the status of the firewall by running the following command:

Terminal window
sudo ufw status

You should now have a very basic cloud server setup. From here everything else is very specefic for the use case of the server.

Don’t let anyone tell you that it’s too hard or too scary to run a server on the internet. It’s never been easier or safer. You don’t need a vendor.

DHH - Creator of Ruby on Rails

Do this couple of times and you will be able to do this under 5 minutes per new server.