Restrict default file permissions:
# echo "session optional pam_umask.so umask=077" >> /etc/pam.d/common-session
Install sudo package:
# apt-get -y install sudo
Add user for logging in, instead of using root account (you can choose another name for better security):
# adduser --gecos "" admin
Allow admin to use sudo by adding admin to the sudo group:
# usermod -a -G sudo admin
Create group for users that can connect remotely:
# addgroup ssh-clients
Before configuring ssh restrictions add the admin user to the ssh group:
# usermod -a -G ssh-clients admin
Change the default port for ssh connections, configure allowed group and disable root access via ssh. To do this edit the /etc/ssh/sshd_config file as follows:
# vi /etc/ssh/sshd_config ... Port 5678 ... PermitRootLogin no ... AllowGroups ssh-clients
or execute the following commands from the command prompt:
# sed -i 's/Port 22/Port 5678/' /etc/ssh/sshd_config # sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config # echo "AllowGroups ssh-clients" >> /etc/ssh/sshd_config
Use some another port number in real configuration for better secutiry. It should be greater then 1024 and does not match any frequently used port number, such as 3306 (MySQL) or 5432 (PgSQL).
# /etc/init.d/ssh reload
And reconnect to the machine with the admin user credentials.
Optionally, setup key-based authentification by following the corresponding section in the Adding user instruction.