One of the best practices to secure a Linux cloud server is to avoid using the root account for day-to-day operations. If you’ve just created a new server in AWS or on another cloud platform, you’ll need to create a new username and avoid connecting to the server using the root account.

Let’s do this step by step.

Assume you’ve just created a new Linux server. This guide is based on Debian or Ubuntu systems. However, for other distributions, most of the commands will be more or less the same.

Step 1: Check the current users

Connect to the server using SSH:

$ ssh root@<ip_address>

To determine which users are members of the root and sudo groups, inspect the /etc/group file:

# cat /etc/group | grep "sudo\|root"

After executing the above command, you might see an output similar to:

root:x:0:
sudo:x:27:

This output indicates that there are currently no users assigned to the sudo or root groups.

You can check which users have SSH login capabilities by examining the /etc/passwd file.

# cat /etc/passwd | grep /bin/

Executing this command may produce an output like:

root:xxxxxxxxxxxxxx:/bin/bash
sync:xxxxxxxxxxxxxx:/bin/sync
admin:xxxxxxxxxxxx:/bin/bash

This indicates that the users root, sync, and ubuntu have access to commands like bash or sync.

To remove all users except root:

# userdel -r admin
# userdel -r sync

The -r flag deletes the user along with their home directory. While it’s not strictly necessary to remove the sync user, we will.

Step 2: Add a New User

Let’s proceed to add a new user and grant it sudo execution privileges.

First, ensure that sudo is installed:

# apt update
# apt install sudo

Now, create a new user named pactus (feel free to choose a different name):

# adduser pactus

Then, add this user to the sudo group:

# adduser pactus sudo

To confirm everything is set up correctly, use the id command:

# id pactus

Running # cat /etc/group | grep "sudo\|root" again should now display the new user as a member of the sudo group.

Step 3: Enable SSH Login for New User

Now, we’ll set up the server to allow connections from the new user.

First, switch the security context to the new account to ensure new folders and files have the appropriate permissions:

# su - pactus

Create the ~/.ssh directory:

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh

Currently, we are logged into the server using the root account. The public key for SSH access is stored in the /root/.ssh/authorized_keys file. We will copy this file to ~/.ssh/authorized_keys, change its ownership to the new user, and then delete the original file. This will prevent SSH login as root.

$ sudo cp /root/.ssh/authorized_keys ~/.ssh
$ sudo chown pactus:pactus ~/.ssh/authorized_keys
$ sudo rm /root/.ssh/authorized_keys

Now, let’s ensure that the new user can use SSH to connect to the server. Open a new terminal on your local machine and run:

$ ssh pactus@<ip address>

Step 4: Disable SSH login for root

At this point, we can disable SSH remote login for the root account.

Open sshd_config:

$ sudo vim /etc/ssh/sshd_config

Search for the authentication options and modify the root login permission by setting it to ‘no’ as shown below:

PermitRootLogin no

Also, ensure that SSH password login is disabled:

PasswordAuthentication no

After making these changes, restart the sshd service:

$ sudo systemctl restart sshd

You will no longer be able to log in using the root account.

Next step, lock the root account:

sudo passwd --delete --lock root

This command delete the root password and lock it. You can test if the root is locked:

su -

Reerences:

Secure Secure Shell