When creating a new Debian 8 server, there are a few configuration steps that need to be taken early in the basic installation. This will improve the security and usability of your server, and give you a solid foundation on which to proceed.
Step one – Login as root
In order to log into your server, you need to know the public IP address of the server and the password for the “root” user account. If you are not already logged into your server, you can follow the tutorial on how to connect to your server using SSH.
If you are not already connected to the server, go ahead and login as user
rootusing the following command (replace the highlighted word with the IP address of your server):
ssh [email protected]_IP_ADDRESS
After completing the login process, accepting the host authentication warning, if it appears, then providing root authentication (password or key). If this is your first time logging into the server using a password, you will also be prompted to change your password.
A root user is a user with administrative privileges in a Linux environment who has very wide privileges. Due to the increased privileges of the root account, you are actually not advised to use it on a regular basis. This is because part of the privilege inherent in the root account is the ability to make very destructive changes, even by accident.
The next step is to create an alternate user account with reduced privileges for day-to-day work. We’ll teach you how to get elevated privileges when you need them.
Step two – creating a new user
Once you have logged in with
rootwe are ready to add a new user account that we will use to log in from now on.
This example creates a new user named “demo”, but you have to replace it with the username you like:
You will be asked several questions, starting with the account password.
Enter a strong password and, if necessary, fill in additional information if you wish. This is not required and you can simply press “ENTER” on any area you want to skip.
Step three – superuser
We now have a new user account with regular account privileges. However, we can sometimes perform administrative tasks.
To avoid having to log out of our regular user and log back in as the root account, we can set a user known as “super user” or root privileges for our regular account. This will allow our regular user to execute commands with administrator rights by putting the word
sudo in front of each team.
Debian 8 does not come with installed
sudoso let’s install it using apt-get.
First, let’s update the package index:
Then use this command to install sudo:
apt-get install sudo
Now you can use the commands
About SUDO privileges
To add these privileges to our new user, we need to add the new user to the “sudo” group. By default in Debian 8, users belonging to the “sudo” group are allowed to use the command
root, run this command to add a new user to the sudo group (replace the highlighted word with the new user):
usermod -a -G sudo demo
Your user can now run commands with custom privileges!
Step Four – Add Public Authentication Key (Recommended)
The next step in securing your server is to set up public key authentication for the new user. Installing this program will improve the security of your server by requiring an SSH secret key to log in.
Generating a key pair
If you do not already have an SSH key pair, which consists of a public and private key, you need to generate a. If you already have a key that you want to use, skip to the step to copy the public key.
To create a new key pair, enter the following command in your terminal local machine (i.e. your computer):
Suppose your local user is called “localuser”, you will see output that looks like this:
Generating public/private rsa key pair. Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
Return, accept this filename and path (or enter a new name).
Next, you will be prompted for a passphrase to secure the key. You can either enter a passphrase or leave the passphrase blank.
Note If you leave the passphrase blank, you will be able to use the private key for authentication without entering a password. If you enter a passphrase, you will need both the private key and the passphrase to log in. Phrase key protection is more secure, but both methods have their uses and are more secure than basic password authentication.
This creates a private key
id_rsa and the public key,
.ssh localuser’s home directory. Remember that the private key should not be shared with anyone who should not have access to the servers!
Copy the public key
After generating your SSH key pair, you want to copy your public key to the new server. We’ll cover two easy ways to do this.
Option 1: Using ssh-copy-id
If your local machine has a script installed
ssh-copy-id, you can use it to set your public key to any user you got in the login credentials.
Run the script
ssh-copy-idby specifying the user and the IP address of the server to which you want to install the key, like this:
ssh-copy-id [email protected]_IP_ADDRESS
After providing the password on the command line, your public key will be added to the remote user’s file
.ssh/authorized_keys… The corresponding secret key can now be used to log into the server.
Option 2: Manually install the key
Assuming you have generated an SSH key pair using the previous step, use the following command in the terminal of your local machine to print your public key (
This should print your SSH public key, which should look like this:
id_rsa.pub contents ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf [email protected]
Select the public key and copy it to the clipboard.
Add public key for new remote users
In order to allow the SSH key to be used to authenticate as a new remote user, you must add the public key to a special file in the user’s home directory.
On server , as
root, enter the following command to navigate to the new user (replace your own username):
su - demo
You will now be in your new user’s home directory.
Create a new folder named
.ssh and restrict access rights with the following commands:
mkdir .ssh chmod 700 .ssh
Now open the .ssh file called
authorized_keys using a text editor. We’ll use nano to edit the file:
Now paste your public key (which should be on your clipboard) by pasting it into the editor.
CTRL-X to exit the file and then
Y to save the changes you made and,
ENTER to confirm the filename.
Now restrict access rights to authorized_keys file with the following command:
chmod 600 .ssh/authorized_keys
Enter this command once to return to the user
You can now log in via SSH as a new user, using the private key as authentication.
Step Five – Configuring SSH
Now that we have our new account, we can secure our server by slightly changing its configuration with an SSH daemon (a program that allows us to log in remotely) to deny remote SSH access to root account.
Start by opening the config file with a text editor as root:
Here we have the option to disable root login via SSH. This is generally a more secure setting as we can now access our server through our regular user account and escalate privileges as needed.
To disable remote root login, we need to find a line that looks like this:
/ etc / ssh / sshd_config (before)
You can change this line to “no” if you want to disable root login:
/ etc / ssh / sshd_config (after)
Disabling remote root login is highly recommended on every server!
When you’re done making changes, save and close the file using the method we used earlier (
CTRL-X, and then
Now that we have made our changes, we need to restart the SSH service so that it will use our new configuration.
Enter this function to restart SSH:
systemctl restart ssh
Now, before we log out of the server, we must verify our new configuration. We don’t want to disconnect without confirming that new connections can be successfully established.
Open new terminal window. In a new window, we have to start a new connection to our server. This time, instead of using the root account, we want to use the new account we created.
ssh [email protected]_IP_ADDRESS
You will be prompted for the new user password that has been configured. After that, you will be logged in as a new user.
Remember that if you need to run a command with superuser privileges, type “sudo” before it, as in the example:
If all is well, you can log out of your sessions by typing:
At this point, you have a solid foundation for your Debian 8 server. You can install any of the software you currently need on the server.