Setting Up and Securing a Compute Instance
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
After you have successfully created a Compute Instance, there are a few initial configuration steps you should perform within your new Linux system. This includes updating your system, setting the timezone, configuring a custom hostname, adding a limited user, hardening SSH to prevent unauthorized access, and configuring a firewall. These steps ensure your instance is update to date, secure, and ready for use.
NoteWhile this guide is optional, it walks you through best practices and covers important steps to secure your server. It is recommended that you follow these instructions when deploying a new Compute Instance. Some guides within our library assume that you have performed these steps, such as setting your hostname and updating your software.
- View your Instance in the Cloud Manager
- Connect to the Instance
- Perform System Updates
- Set the Timezone
- Configure a Custom Hostname
- Add a Limited User Account
- Harden SSH Access
- Configure a Firewall
- Common Lockout Recovery Steps
Before You Begin
If you haven’t done so already, review the following guides to learn more about using Linode and Compute Instances.
View your Instance in the Cloud Manager
Log in to the Cloud Manager, click the Linodes link in the left menu, and select your Compute Instance from the list. This opens the details page for that instance, which allows you to view key information and further configure it to your meet your needs.
Connect to the Instance
Once the Compute Instance has been created and has finished booting up, you can connect to it. Connecting to your instance is usually done through the SSH (Secure Shell) protocol, though you can use the Lish Console to bypass SSH and connect directly to your instance. The Lish Console can be accessed through a web browser (Weblish) or via SSH on the command line.
Weblish (via the Cloud Manager): Click the Launch LISH Console link at the top right corner of the Compute Instance’s detail page. See Using the Lish Console > Through a Browser.
SSH: Copy the command from the SSH Access field under the Access section on the Compute Instance’s detail page (see screenshot above) and paste it into your local computer’s terminal. The command should look similar to the following, only with the IP address of your newly created instance.
ssh root@192.0.2.1- Windows: Windows 10 and 11 users can connect to their Linode using the Command Prompt (or PowerShell) application, provided their system is fully updated. For users of Windows 8 and earlier, Secure Shell on Chrome, PuTTY, or many other third party tools can be used instead. See Connecting to a Remote Server Over SSH on Windows.
- macOS: The Terminal application is pre-installed on macOS. See Connecting to a Remote Server Over SSH on a Mac.
- Linux: You can use a terminal window, regardless of desktop environment or window manager. See Connecting to a Remote Server Over SSH on Linux
Lish (via SSH): Copy the command from the LISH Console via SSH field under the Access section on the Compute Instance’s detail page (see screenshot above) and paste it into your local computer’s terminal. The command should look similar to the one below, only with your username, data center, and Linode label. Review Using the Lish Console > Through SSH for more instructions.
ssh -t user@lish-newark.linode.com Example-Linode
Perform System Updates
Updating your system frequently is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes and many software vulnerabilities are actually patched by the time they become public. Updating also provides you with the latest software versions available for your distribution.
Ubuntu and Debian
apt update && apt upgrade
NoteYou may be prompted to make a menu selection when the Grub package is updated on Ubuntu. If prompted, selectkeep the local version currently installed.
CentOS/RHEL Stream and Fedora
This includes CentOS Stream (and 8), other RHEL derivatives (including AlmaLinux 8, and Rocky Linux 8), and Fedora.
dnf upgrade
Other Distributions
Alpine
apk update && apk upgrade
Arch Linux
pacman -Syu
CentOS 7
yum update
Gentoo
emaint sync -a
After running a sync, it may end with a message that you should upgrade Portage using a --oneshot emerge command. If so, run the Portage update. Then update the rest of the system:
emerge -uDU --keep-going --with-bdeps=y @world
OpenSUSE
zypper update
Slackware
slackpkg update
slackpkg upgrade-all
Set the Timezone
All new Linodes are set to UTC time by default. However, you may prefer your Linode use the time zone which you live in so log file timestamps are relative to your local time.
Most Distributions
This includes CentOS 7 (and newer), other RHEL derivatives (including AlmaLinux 8, and Rocky Linux 8), Fedora, and Arch. These instructions also work for most Ubuntu, Debian, and OpenSuse distributions, though other methods may be preferred in those cases.
Use
timedatectlto output a list of available timezones.timedatectl list-timezonesUse the arrow keys,
Page Up, andPage Downto navigate through the list. Copy or make note of your desired time zone and press q to exit the list.Set the time zone using the command below, replacing America/New_York with your preferred time zone.
timedatectl set-timezone 'America/New_York'
Ubuntu and Debian
The instructions under the
Most Distributions section above (which outlines the timedatectl command) are valid. That said, both Ubuntu and Debian come with a more friendly tool called tzdata, outlined below.
Open the
tzdatatool.dpkg-reconfigure tzdataSelect the continent of your choice using the arrow keys and press Enter.
Select your region using the arrow keys and press Enter.
Other Distributions
Alpine
Use the setup-timezone command to initiate the timezone selection process:
setup-timezoneEnter the timezone you are located within. If you aren’t sure of the timezone string to use, enter
?to display a list of available timezonesIf you selected a region with sub-timezones, enter
?again to see a list of available sub-timezones and then enter the sub-timezone you are located within.
Gentoo
View a list of available time zones.
ls /usr/share/zoneinfoWrite the selected time zone to
/etc/timezone(for example, EST for Eastern Standard Time).echo "EST" > /etc/timezoneConfigure the
sys-libs/timezone-datapackage, which sets/etc/localtime.emerge --config sys-libs/timezone-data
OpenSUSE
The instructions under the
Most Distributions section above (which outlines the timedatectl command) are valid. OpenSuse also has a more friendly way to select a timezone, discussed below.
Open the YaST2 timezone selector tool.
yast2 timezoneUse the arrow keys to select your region within the Region pane.
Press tab to switch to the Time Zone pane and then use the arrow keys to select your time zone or sub-region.
Press F10 to save the changes. Alternatively, press tab until the
[OK]text button is highlighted. Then press enter.
Slackware
Run the
timeconfigtool.timeconfigSelect
NO Hardware clock is set to local time.Select a timezone.
Check the Time
Use the date command to view the current date and time according to your server.
root@localhost:~# date
Thu Feb 16 12:17:52 EST 2018Configure a Custom Hostname
A hostname is used to identify your Compute Instance using an easy-to-remember name. It can be descriptive and structured (detailing what the system is used for) or a generic word or phrase. Here are some examples of hostnames:
Descriptive and/or Structured:
web,staging,blog, or something more structured like[purpose]-[number]-[environment](ex:web-01-prod).Generic/Series: Such as the name of a fruit (
apple,watermelon), a planet (mercury,venus), or animal (leopard,sloth).
This hostname can be used as part of a FQDN (fully qualified domain name) for the system (ex: web-01-prod.example.com).
After you’ve made the change below, you may need to log out and log back in again to see the terminal prompt change from localhost to your new hostname. The command hostname should also show it correctly. See our guide on using the
hosts file if you want to configure a fully qualified domain name.
Most Distributions
This includes Ubuntu 16.04 (and newer), CentOS 7 (and newer), other RHEL derivatives (including AlmaLinux 8 and Rocky Linux 8), Debian 8 (and newer), Fedora, OpenSuse, and Arch.
Replace example-hostname with one of your choice.
hostnamectl set-hostname example-hostname
Other Distributions
Alpine
See Update Your Systems hosts File.
Gentoo
echo "HOSTNAME=\"example-hostname\"" > /etc/conf.d/hostname
/etc/init.d/hostname restart
Slackware
echo "example-hostname" > /etc/HOSTNAME
hostname -F /etc/HOSTNAME
Update Your System’s hosts File
The hosts file creates static associations between IP addresses and hostnames or domains which the system prioritizes before DNS for name resolution.
Open the
hostsfile in a text editor, such as Nano.nano /etc/hostsAdd a line for your Linode’s public IP address. You can associate this address with your Linode’s Fully Qualified Domain Name (FQDN) if you have one, and with the local hostname you set in the steps above. In the example below,
203.0.113.10is the public IP address,example-hostnameis the local hostname, andexample-hostname.example.comis the FQDN.- File: /etc/hosts
1 2127.0.0.1 localhost.localdomain localhost 203.0.113.10 example-hostname.example.com example-hostname
Add a line for your Linode’s IPv6 address. Applications requiring IPv6 will not work without this entry:
- File: /etc/hosts
1 2 3127.0.0.1 localhost.localdomain localhost 203.0.113.10 example-hostname.example.com example-hostname 2600:3c01::a123:b456:c789:d012 example-hostname.example.com example-hostname
The value you assign as your system’s FQDN should have an “A” record in DNS pointing to your Linode’s IPv4 address. For IPv6, you should also set up a DNS “AAAA” record pointing to your Linode’s IPv6 address.
See our guide to
Adding DNS Records for more information on configuring DNS. For more information about the hosts file, see
Using your System’s hosts File
Add a Limited User Account
Up to this point, you have accessed your Compute Instance as the root user, which has unlimited privileges and can execute any command–even one that could accidentally disrupt your server. We recommend creating a limited user account and using that at all times. Administrative tasks will be done using sudo to temporarily elevate your limited user’s privileges so you can administer your server.
NoteNot all Linux distributions includesudoon the system by default, but all the images provided by Linode have sudo in their package repositories. If you get the outputsudo: command not found, install sudo before continuing.
Ubuntu and Debian
Create the user, replacing
example_userwith your desired username. You’ll then be asked to assign the user a password:adduser example_userAdd the user to the
sudogroup so you’ll have administrative privileges:adduser example_user sudo
CentOS/RHEL Stream and Fedora
Create the user, replacing
example_userwith your desired username, and assign a password:useradd example_user && passwd example_userAdd the user to the
wheelgroup for sudo privileges:usermod -aG wheel example_user
Log in as the New User
After creating your limited user, disconnect from your Compute Instance:
exitLog back in as your new user. Replace
example_userwith your username, and the example IP address with your instance’s IP address:ssh example_user@192.0.2.1
Now you can administer your Compute Instance from your new user account instead of root. Nearly all superuser commands can be executed with sudo (example: sudo iptables -L -nv) and those commands will be logged to /var/log/auth.log.
Harden SSH Access
By default, password authentication is used to connect to your Compute Instance via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to decrypt by brute-force. In this section we’ll create a key-pair and configure your system to not accept passwords for SSH logins.
Create an Authentication Key-pair
NoteAs of Autumn 2018, OpenSSH has been added to Windows 10, simplifying the process for securing SSH. Windows 10 in this guide assumes OpenSSH has been installed as part of this update, while Earlier Windows Versions would apply to earlier versions.
This is done on your local computer, not your Compute Instance, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one.
Linux / macOS / Windows 10 or 11
Caution
If you’ve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If you’ve already created a key-pair, skip this step. To check for existing keys, runls ~/.ssh/id_rsa*.ssh-keygen -b 4096Press Enter to use the default names
id_rsaandid_rsa.pubbefore entering your passphrase. On Linux and OS X, these files will be saved in the/home/your_username/.sshdirectory. On Windows, they will be saved inC:\Users\MyUserName\.sshEarlier Windows Versions
This can be done using PuTTY as outlined in our guide: Use Public Key Authentication with SSH.
Upload the public key to your Compute Instance. Replace
example_userwith the name of the user you plan to administer the server as, and192.0.2.1with your instance’s IP address.Linux
From your local computer:
ssh-copy-id example_user@192.0.2.1macOS
On your Compute Instance (while signed in as your limited user):
mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/From your local computer:
scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keysNote
ssh-copy-idis available in Homebrew if you prefer it over SCP. Install withbrew install ssh-copy-id.Windows 10 or 11
On your Compute Instance (while signed in as your limited user):
mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/From your local computer:
scp C:\Users\MyUserName\.ssh/id_rsa.pub example_user@192.0.2.1:~/.ssh/authorized_keysEarlier Windows Versions
Option 1: This can be done using WinSCP. In the login window, enter your Linode’s public IP address as the hostname, and your non-root username and password. Click Login to connect.
Once WinSCP has connected, you’ll see two main sections. The section on the left shows files on your local computer and the section on the right shows files on your Linode. Using the file explorer on the left, navigate to the file where you’ve saved your public key, select the public key file, and click Upload in the toolbar above.
You’ll be prompted to enter a path where you’d like to place the file on your Linode. Upload the file to
/home/example_user/.ssh/authorized_keys, replacingexample_userwith your username.Option 2: Copy the public key directly from the PuTTY key generator into the terminal emulator connected to your Linode (as a non-root user):
mkdir ~/.ssh; nano ~/.ssh/authorized_keysThe above command will open a blank file called
authorized_keysin a text editor. Copy the public key into the text file, making sure it is copied as a single line exactly as it was generated by PuTTY. Press CTRL+X, then Y, then Enter to save the file.
Finally, you’ll want to set permissions for the public key directory and the key file itself:
sudo chmod -R 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keysThese commands provide an extra layer of security by preventing other users from accessing the public key directory as well as the file itself. For more information on how this works, see our guide on how to modify file permissions.
Now exit and log back into your Compute Instance. If you specified a passphrase for your private key, you’ll need to enter it.
SSH Daemon Options
Open the SSH configuration file on your Compute Instance using a Linux text editor, such as nano or vim:
sudo nano /etc/ssh/sshd_configDisallow root logins over SSH. This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using
sudoor changing to a root shell usingsu -.- File: /etc/ssh/sshd_config
1 2 3# Authentication: ... PermitRootLogin no
Disable SSH password authentication. This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line
PasswordAuthenticationmay need to be added, or uncommented by removing the leading#.- File: /etc/ssh/sshd_config
1 2# Change to no to disable tunnelled clear text passwords PasswordAuthentication no
Note
You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device.Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. This does not disable the protocol system-wide, it is only for the SSH daemon. Depending on the Linux distribution, the line
AddressFamilymay need to be added, or uncommented by removing the leading#Use the option:
AddressFamily inetto listen only on IPv4.AddressFamily inet6to listen only on IPv6.
- File: /etc/ssh/sshd_config
1 2# Port 22 AddressFamily inet
Restart the SSH service to load the new configuration.
If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+)
sudo systemctl restart sshdIf your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04):
sudo service sshd restart
Use Fail2Ban for SSH Login Protection
Fail2Ban is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access.
Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address.
For complete instructions on installing and configuring Fail2Ban, see our guide: A Tutorial for Using Fail2ban to Secure Your Server.
Configure a Firewall
NoteLinode’s free Cloud Firewall service can be used to replace or supplement internal firewall configuration. For more information on Cloud Firewalls, see our Getting Started with Cloud Firewalls guide. For help with solving general firewall issues, see the Troubleshooting Firewalls guide.
Using a firewall to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications:
Iptables is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default.
FirewallD is the iptables controller available for the CentOS / Fedora family of distributions.
UFW provides an iptables frontend for Debian and Ubuntu.
Common Lockout Recovery Steps
If for whatever reason you find yourself locked out of your Linode after putting your security controls into place, there are still a number of ways that you can regain access to your Linode.
Access your Linode through our out-of-band Lish console to regain access to the internals of your Linode without relying on SSH.
If you need to re-enable password authentication and/or root login over ssh to your Linode, you can do this by reversing the following sections of this file to reflect these changes
- File: /etc/ssh/sshd_config
1 2 3 4 5# Authentication: ... PermitRootLogin yes ... PasswordAuthentication yes
From there, you just need to restart SSH.
If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+)
sudo systemctl restart sshdIf your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04):
sudo service sshd restartIf you need to remove your public key from your Linode, you can enter the following command:
rm ~/.ssh/authorized_keysYou can then replace your key by re-following the Create an Authentication Key-pair section of this guide.
Next Steps
These are the most basic steps to harden any Linux server, but further security layers will depend on its intended use. Additional techniques can include application configurations, using intrusion detection, installing a form of access control, fine tuning sudo access, removing exposed services, and more.
Now you can begin setting up your Linode for any purpose you choose. We have a library of documentation to assist you with a variety of topics ranging from migration from shared hosting to enabling two-factor authentication to hosting a website.
This page was originally published on