Basic server settings
Set the timezone to Europe/Berlin:
dpkg-reconfigure tzdata
Disable root and use sudo
Create sudo superuser. The group ‘upravitelj’ will be created too, and we will add this user to ‘sudo’ group
# we sure need a package
apt-get install sudo
# add a user without password
adduser --disabled-password --gecos "Vladan Colovic,eTaktiker,+381-63-208165,+381-63-208165" upravitelj
# set him a password
echo 'upravitelj:<UPRAVITELJ-PASS>' | chpasswd
# let it be a sudoer
adduser upravitelj sudo
Exit and relogin as a new user.
Now disable root account - delete + lock the password for root account:
sudo passwd --delete --lock root
By default sudo remembers your password for 15 minutes.
Change SSH port
SSH port: 22 to 22111
sed -i -e 's/^.*\(Port\)\W\+[22].*$/\1 22111/gi' /etc/ssh/sshd_config
service ssh restart
SSH Public-Key Authentication
Copy my public key to your home directory on remote server:
scp -P 22111 ~/.ssh/id_rsa.pub upravitelj@etaktiker.ex40:~
Then log in to the remote server:
ssh upravitelj@etaktiker.ex40 -p 22111
mkdir ~/.ssh
# append a key to a authorised_keys file
cp ~/.ssh/authorized_keys ~/.ssh/authorized_keys.backup
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
# now I can delete a file
rm -f ~/id_rsa.pub
Configure Windows client for easier connect:
set F="%HOMEDRIVE%%HOMEPATH%\.ssh\config"
echo. >> %F%
echo Host etaktiker.ex40 >> %F%
echo HostName 5.9.95.48 >> %F%
echo User upravitelj >> %F%
echo Port 22111 >> %F%
echo IdentityFile "~/.ssh/id_rsa" >> %F%
echo IdentitiesOnly yes >> %F%
This is it. Check that you can login with keys, and disable password login after that.
ssh etaktiker.ex40
Disable SSH Password Authentication for added security
Edit sudo nano /etc/ssh/sshd_config and these must be set as following:
ChallengeResponseAuthentication no
PasswordAuthentication no
Reload SSH server configuration:
sudo service ssh reload
SSH Welcome Message & Banner
MOTD (Message Of The Day) is displayed after the user has logged in:
sudo su -
echo '
eTaktiker GmbH - This system is for authorized users only. All activity
is logged. Any illegal service or attempt to take down this server or
any of its services will be reported to the law enforcement.
' >/etc/motd
This is shown in the middle of username and password input, when login:
echo '
Welcome to eTaktiker remote login system
' >/etc/ssh/sshd-banner
sed -ri 's/^\#Banner.*$/Banner \/etc\/ssh\/sshd-banner/gi' /etc/ssh/sshd_config
Shell tweaks
~/.bashrc is for non-login interactive shells. Login shells source
~/.bash_profile (or ~/.bash_login or ~/.profile).
https://unix.stackexchange.com/a/541092
Sourcing ~/.bashrc in any of those files for login shell will allow
you to have common settings. It is usually already sourced in
~/.profile, which I can discover by typing:
grep ".bashrc" /etc/profile ~/.bash_profile ~/.bash_login ~/.profile
That sourcing of startup files is perfectly explained here. Note that environment variables in crontab are not sourced from anywhere (see comment).
Set permanent aliases:
echo '
# my aliases list
alias ls="ls -a --color=tty" # always show all files, and always color them
alias ll='ls -l --color=tty'
alias disku="du -s * | sort -rn | head" # it pops out the top 10 biggest files or directories in your current working directory
alias ..="cd .." # very simple
alias ...="cd ../.."
alias ....="cd ../../.."
alias cdw="cd /var/www"
alias cdl="cd /var/log"
alias ff="find . -name" # often needed
alias more="less"
alias h="history"
alias tf="tail -f"
' >> ~/.bashrc
|
|
But my ~/.bashrc was not executing so I wanted to include it:
echo "[[ -f ~/.bashrc ]] && . ~/.bashrc" >>~/.bash_profile