This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:
Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.
See Instead:
This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.
The lines that the user needs to enter or customize will be in red in this tutorial! The rest should mostly be copy-and-pastable.
When you first begin to access your fresh new server, there are a few early steps you should take to make it more secure. Some of the first tasks required on a virtual private server can include setting up a new user, providing them with the proper privileges, and configuring SSH.
Once you know your IP address and root password, login as the main user, root.
It is not encouraged to use root on a VPS on a regular basis, and this tutorial will help you set up an alternative user to login with permanently.
ssh root@123.45.67.890
The terminal will show:
The authenticity of host '69.55.55.20 (69.55.55.20)' can't be established. ECDSA key fingerprint is 79:95:46:1a:ab:37:11:8e:86:54:36:38:bb:3c:fa:c0. Are you sure you want to continue connecting (yes/no)?
Go ahead and type yes, and then enter your root password.
Currently your root password is the default one that was sent to you when you registered your droplet. The first thing to do is change it to one of your choice.
passwd
After you have logged in and changed your password, you will not need to login again as root. In this step we will make a new user and give them all of the root capabilities.
You can choose any name for your user. Here I’ve suggested Demo
adduser demo
After you set the password, you do not need to enter any further information about the new user. You can leave all the lines blank if you wish
As of yet, only root has all of the administrative capabilities. We are going to give the new user the root privileges.
When you perform any root tasks with the new user, you will need to use the phrase “sudo” before the command. This is a helpful command for 2 reasons: 1) it prevents the user making any system-destroying mistakes 2) it stores all the commands run with sudo to the file ‘/var/log/secure' which can be reviewed later if needed.
Let’s go ahead and edit the sudo configuration. This can be done through the default editor, which in Ubuntu is called ‘nano’
visudo
Find the section called user privilege specification. It will look like this:
# User privilege specification root ALL=(ALL:ALL) ALL
Under there, add the following line, granting all the permissions to your new user:
demo ALL=(ALL:ALL) ALL
Type ‘cntrl x’ to exit the file.
Press Y to save; press enter, and the file will save in the proper place.
Now it’s time to make the server more secure. These steps are optional. Please keep in mind that changing the port and restricting root login may make logging in more difficult in the future. If you misplace this information, it could be nearly impossible.
Open the configuration file
nano /etc/ssh/sshd_config
Find the following sections and change the information where applicable:
Port 25000
Protocol 2
PermitRootLogin no
We’ll take these one by one.
Port: Although port 22 is the default, you can change this to any number between 1025 and 65536. In this example, I am using port 25000. Make sure you make a note of the new port number. You will need it to log in in the future. This change will make it more difficult for unauthorized people to log in.
PermitRootLogin: change this from yes to no to stop future root login. You will now only be logging on as the new user.
Add these lines to the bottom of the document, replacing *demo* in the AllowUsers line with your username. (AllowUsers will limit login to only the users on that line. To avoid this, skip this line):
UseDNS no
AllowUsers demo
Save and Exit
Reload SSH, and it will implement the new ports and settings.
reload ssh
To test the new settings (don’t logout of root yet), open a new terminal window and login as your new user.
Don’t forget to include the new port number.
ssh -p 25000 demo@123.45.67.890
Your prompt should now say:
[demo@yourname ~]$
As you start securing your droplet with SSH, you can continue to improve its security by installing programs, such as Fail2Ban or Deny Hosts, to prevent against brute force attacks on the server. You can also find the tutorial to install the LAMP stack on the server here or the LEMP stack here.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
After setting roots privileges to my user I still can’t run sudo (not allowed)
I’m too.So what did you do?
on ubuntu it isn’t /usr/sbin/visudo it’s /etc/sudoers
no, it is the command
sudo visudo
did you fnid the answer?
The visudo command is the correct way to edit that file. As explained on the man page: “visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors.”
thanks you, i’m newbie and first time to try vps, thanks you for your tutorial.
Awesome! I’m glad to hear it! Please let me know if there any other topics you would like to see in our community =]
Hello,
After following the steps, I’m in the final step of checking if I can connect with the newly created user but I’m getting an error saying “connection refused”.
Great intro. You should also mention the steps to add swap storage, as explained else on your site: https://www.digitalocean.com/community/articles/how-to-add-swap-on-ubuntu-12-04
Disregard, previous message. Thanks
Thanks, it worked fine!!
hi, after login as root and update visudo for a newuser, i logout root, login with newuser do visudo command again but visudo say: /etc/sudoers: Permission denied any idea what newuser doesn’t have the root permision??
i test with ubuntu, if i do #groups newuser, i get newouser root sudo but it doesn’t allow me visudo command
This is because you are trying to run visudo as your regular user instead of as root.
To access visudo without getting the “Permission denied” result, be sure to switch to the root user:
“sudo bash”
and then you can run visudo without issue.
Hello Everyone, I am a beginner, i want to know which type and version of ubuntu i need to install ruby 1.9.3. Server Ubuntu 12.04 LTS or Desktop Ubuntu 12.04 LTS Thanks in advance.
You can install ruby on either one; you can find a tutorial here on how to install it on Server Ubuntu 12.04: https://www.digitalocean.com/community/articles/how-to-install-ruby-on-rails-on-ubuntu-12-04-lts-precise-pangolin-with-rvm
Followed to a tee and would not work. I’m on a windows machine using putty
Let us know which part is failing or what error messages you are seeing so we can help you troubleshoot.
Sorry, I’m just a dork LOL
I forgot to change this in the last step to my username instead of demo!;-)
UseDNS no AllowUsers demo <<<<< don’t forget to change this to your new username - LOL
Awesome, glad that you got it working, we’ll see if we can update the article to make that particular item a bit more clear for the future =]
It’s way more clever to hand out root permissions on a group level. usermod -g sudo -A <username> as root to add your user to the sudo group Add the sudo group to the sudoers file if it is not already in there %sudo ALL=(ALL:ALL) ALL
Uber great tutorial 4 a person like me! I’m a software developer. Thanks!
For Centos I had to run:
/etc/rc.d/init.d/sshd reload
to load in the new configuration for ssh
Thank you for your great tutorial.
Here is a comprehensive tutorial using Ubuntu 12.04: http://www.carlwesterby.com/index.php/web-server-from-old-desktop/
After setting roots privileges to my user I still can’t run sudo, the message are: sudo : must be stuid root
After setting roots privileges to my user I still can’t run sudo, the message are: sudo : must be stuid root what can i do???
Can you paste your output for /etc/sudoers so we can review that.
Rather than editing the sudo config, i used the command usermod -g sudo <userid> That seems to have worked just fine.
It looks like there is also a “admin” group in the sudo config, which I think would help in getting easy access to some of the log files. I can’t seem to user usermod to add my user to that group though, it gets a “usermod: group ‘admin’ does not exist” error. Is this expected?
This is great! Up and running in no time at all. Thank you :)
I had to run ‘sudo /etc/init.d/ssh restart’ for the restart to work for some reason.
worked great!
I’d like to propose a change to this, particularly involving “PermitRootLogin” in sshd_config. I think that, instead of no, it should be change to “without-password”, so that users can still login with an SSH key.
After doing this I am unable to modify any files over FTP with the user I created. Any ideas?
Jason Kurtz: No, the tutorial shouldn’t be changed. It’s bad practice to login as root, no matter if it’s with keys or not.
Thankyou thankyou. Excellent tutorial. I’m not a linix hack, though I have set up two Ubuntu systems on converted PCs. So for my first droplet I selected the Application, Beta LAMP on ubuntu 12.04 and then followed this tutorial. Fantastic. The only issue was that I tried something slightly different with the “sshd_config” Port - which didn’t work, and then modified it back to the recommended “Port 25000”, but then “reload ssh” wouldn’t run. After poking around - “cat /var/run/sshd.pid” seemed to show wasn’t updated. Also, Ubuntu manual https://help.ubuntu.com/community/SSH/OpenSSH/Configuring recommends a backup copy of sshd_config with
Since kernels you install to /boot aren’t used, it’s important to do “uname -a”, find the kernel version DigitalOcean picks for you, such as “3.2.0-23-virtual”, and install that and only that kernel specifically such as “linux-image-3.2.0-23-virtual” and eliminate all the other linux image choices you may have made. Never pick “linux-image-virtual” which gives you the latest.
I accidentally did that, and after installing the latest kernel 3.2.0-38, iptables stopped working. There are problems making Ubuntu think you are on a more recent kernel then upon reboot you actually aren’t. Things can stop working as I found out the hard way.
I was getting “user is not allowed to run sudo on localhost” until I added my new user to the sudo group via: sudo usermod -aG sudo <username>
Correction: sudo usermod -aG sudo <username>
Following from some of the earlier comments, usermod -a -G sudo <USERNAME> will add an existing user to the sudo group.
Instead of reload ssh, use the following command: service ssh restart
Is there a tutorial for doing this using a Puppet script so it can easily be wiped and setup all automatically again from scratch in a much smaller time?
“apt-get install build-essential” should be added to the end of this article. This prevent errors when the package needs to use the “make/build” tools
When I try to open the ssh file using the command: nano /etc/ssh/sshd_config it opens a new blank file. Don’t know what I am doing wrong.
Fixed it, thanks
You should add
sudo nano /etc/hosts add “YOURIP YOURHOSTNAME”
Hi,
I’ve created a video in case anyone is interested.
http://www.pauljennings.co.uk/?p=44
Cheers!
simple, brilliant and effective tutorial. Well done.
@Sean: Awesome! Glad to hear that! :]
From http://serverfault.com/questions/189282/why-change-default-ssh-port
“Whatever port you chose, if you do move away from 22, make sure it is below 1024. Under most Unix-a-like setups in their default config, only root (or users in the root group) can listen on ports below 1024, but any user can listen on the higher ports. Running SSH on a higher port increases the chance of a rogue (or hacked) user managing to crash your SSH daemon and replace it with their own or a proxy.”
Does that apply to ubuntu?
@flexcode it applies to all Unix-like systems including Linux (which means it does apply to Ubuntu).
Is important to set a hostname? If I have a multisite host, which name I have to use? any name?