Managing users on Ubuntu 18.04

When you initially set up your server, you will only have root access. For security purposes logging directly into your server as root should be disabled. Since root login will be disabled, in this article we will go over how to disable root access and creating new users so that you may access your server. 

 

Prerequisites:

  •  Ubuntu server
  •  Root access

 

First, you need to disable root login access. You want to disable this access to prevent any malicious actors from brute-forcing the password and thus gaining root access to your server. With root access, hackers will be able to do all kinds of nasty things that may run up the CPU usage, which will cost you a lot of money. 

sudo passwd -l root

 

Now that root login is disabled, when you want to log into the server you will do so as a user (that we will create next), then sudo up to the root user when you need root access. 

sudo adduser username

 

When you need to switch to the root user you can run the following command. 

sudo -i

 

Deleting users is done with the following command. 

sudo deluser username

Note: when you run this command you will also need to delete the home folder for that user

 

You can create a group by running this command. 

sudo addgroup groupname

 

To delete a group run the following command. 

sudo delgroup groupname

 

When you create a group and you want to add users to that group you can run this command. 

sudo adduser username groupname

 

We have gone over how to disable root login access, create and delete users, create and delete groups and adding users to said groups. 

Managing users on Ubuntu 16.04

When you initially set up your server, you will only have root access. For security purposes logging directly into your server as root should be disabled. Since root login will be disabled, in this article we will go over how to disable root access and creating new users so that you may access your server. 

 

Prerequisites:

  •  Ubuntu server
  •  Root access

 

First, you need to disable root login access. You want to disable this access to prevent any malicious actors from brute-forcing the password and thus gaining root access to your server. With root access, hackers will be able to do all kinds of nasty things that may run up the CPU usage, which will cost you a lot of money. 

sudo passwd -l root

 

Now that root login is disabled, when you want to log into the server you will do so as a user (that we will create next), then sudo up to the root user when you need root access. 

sudo adduser username

 

When you need to switch to the root user you can run the following command. 

sudo -i

 

Deleting users is done with the following command. 

sudo deluser username

Note: when you run this command you will also need to delete the home folder for that user

 

You can create a group by running this command. 

sudo addgroup groupname

 

To delete a group run the following command. 

sudo delgroup groupname

 

When you create a group and you want to add users to that group you can run this command. 

sudo adduser username groupname

 

We have gone over how to disable root login access, create and delete users, create and delete groups and adding users to said groups. 

Managing users on Debian 8

When you initially set up your server, you will only have root access. For security purposes logging directly into your server as root should be disabled. Since root login will be disabled, in this article we will go over how to disable root access and creating new users so that you may access your server. 

 

Prerequisites:

  •  Debian server
  •  Root access

 

First, you need to disable root login access. You want to disable this access to prevent any malicious actors from brute-forcing the password and thus gaining root access to your server. With root access, hackers will be able to do all kinds of nasty things that may run up the CPU usage, which will cost you a lot of money. Use the text editor of your choice to edit the file /etc/ssh/sshd_config. Update the following to match this line. 

PermitRootLogin no

 

Next, let’s add a new user. 

sudo adduser username

 

To delete a user the following line.

sudo deluser username

 

When adding a new user you will need to grant root privileges to the user, which will allow them to run commands with root permissions. 

sudo usermod -aG wheel username

 

To add or delete users to a group use the following line. 

sudo groupadd groupname

sudo groupdel groupname

 

We have gone over how to disable root login access, create and delete users, create and delete groups and adding users to said groups. 

Managing users on Fedora 28

When you initially set up your server, you will only have root access. For security purposes logging directly into your server as root should be disabled. Since root login will be disabled, in this article we will go over how to disable root access and creating new users so that you may access your server. 

 

Prerequisites:

  •  Fedora server
  •  Root access

 

First, you need to disable root login access. You want to disable this access to prevent any malicious actors from brute-forcing the password and thus gaining root access to your server. With root access, hackers will be able to do all kinds of nasty things that may run up the CPU usage, which will cost you a lot of money. Use the text editor of your choice to edit the file /etc/ssh/sshd_config. Update the following to match this line. 

PermitRootLogin no

 

Next, let’s add a new user. 

sudo adduser username

 

To delete a user the following line.

sudo deluser username

 

When adding a new user you will need to grant root privileges to the user, which will allow them to run commands with root permissions. 

sudo usermod -aG wheel username

 

To add or delete users to a group use the following line. 

sudo groupadd groupname

sudo groupdel groupname

 

We have gone over how to disable root login access, create and delete users, create and delete groups and adding users to said groups. 

Managing users on CentOS 6

When you initially set up your server, you will only have root access. For security purposes logging directly into your server as root should be disabled. Since root login will be disabled, in this article we will go over how to disable root access and creating new users so that you may access your server. 

 

Prerequisites:

  •  CentOS server
  •  Root access

 

First, you need to disable root login access. You want to disable this access to prevent any malicious actors from brute-forcing the password and thus gaining root access to your server. With root access, hackers will be able to do all kinds of nasty things that may run up the CPU usage, which will cost you a lot of money. 

 

Using the text editor of your choice edit  the /etc/passwd file set the root account shell to /sbin/nologin

 

Next, let’s add a user using the following command. 

sudo adduser username

 

Add a password for the user you created. 

passwd username

 

Delete a user using the following command. 

 

userdel username

 

When you create a new user on your server, that user will need to have root privileges granted to them. This will allow them to run commands with root permissions. 

sudo gpasswd -a username wheel

 

In this article, we went over how to create and delete users, how to grant users with root permissions, and disabling root login access on your server. 

My environment is being DDoS’d, what can I do?

When a Denial of Service or Distributed Denial of Service (DoS and DDoS respectively) attack occurs, malicious actors flood the target device with many requests.  The goal of such an attack is to overwhelm the target and cause them to lock up and/or stop serving their site or application.  Due to the nature of this kind of attack, it can be difficult to mitigate, and hard to determine what traffic is legitimate and what traffic is malicious.

DDoS attacks can happen at any time and their methods may vary.  Some attacks are targeted, launched in response to a perceived offense or company event.  Others are random, simply a bad actor attacking whatever is available to them.  This means every site and application is at risk of a DDoS attack.

I’m currently under attack what can I do?

Unfortunately, there isn’t much that can be done while an attack is on-going.  You can attempt to build out additional servers to handle the extra load but this method can get expensive fast and isn’t guaranteed to work either.  The attack may simply ramp up in intensity to match any added capacity, and as such, this method is not recommended.

Another common misconception is that the attack can be subverted by changing your IP and DNS records.  This is not recommended, as most attackers would simply start hitting the new IP listed on the fresh DNS record.  Not only does this put you right back into square one, but now the attackers know of two IP’s they can potentially exploit instead of one.

Steps that can be taken

Your best bet to mitigate an attack that is ongoing is the same as preventing attacks in the first place, which is to utilize a DDoS mitigation service.  These services provide a location that your DNS points to that can handle and filter the massive amounts of traffic during a DDoS event.  Malicious and fake traffic from the attackers is blocked by the mitigation service.  This means that only legitimate traffic hits your environment, preventing it from becoming overloaded, and thus responding to normal traffic as expected.

There are several DDoS mitigation services and options out there but we recommend utilizing Cloudflare for your DDoS needs.  Cloudflare has several options including a no-cost option which does contain some DDoS mitigation. 

We recommend at least procuring the free version of Cloudflare for all your environments, as this will future proof against most DDoS attacks.  Even if you are a certain company and employee action will not trigger a targeted attack, DDoS mitigation is still a good idea to have in place to deal with random attacks.

Managing Local Users on Windows Server 2019

To view, edit, or add new local user accounts, open the local user management snap-in. This can be accessed quickly using the “Run” command (windows key +R), Start → Run. Then enter lusrmgr.msc.

It’s best practice to use standard user accounts as opposed to a privileged/administrative account for day to day access. Standard local users can leverage User Account Control, “UAC” prompts to input admin credentials where necessary. This limits your administrative user accounts exposure to attack and/or malware.

Creating a new local user:

To create a local user account, open local user management snap-in:

Start→ Run → lusrmgr.msc.

Select the Users folder from the left-hand navigation pane.

Select More Actions from the right-hand Action pane, then New User…

Once the new user dialog pops you can enter the relevant information for that user, i.e. First and Last name, etc.

If you select the option User must change password at next login, whatever password you enter at this point will become a temporary password, as they will be required to enter a new password when they first sign in.

Once you have entered all of the necessary information for your new user, hit Create.

To perform this action in Powershell (elevated) run the following command:

> New-LocalUser -Name "User03" -FullName "Third User" -Description "Description of this account."

*In the above command example Full Name and Description fields are not required.

Granting administrative rights to a user:

To create a local user account, open local user management snap-in:

Start→ Run → lusrmgr.msc.

Select the Users folder from the left-hand navigation pane.

Open the properties panel for the user you would like to modify (right-click → properties)

Select the “Member Of” tab, and then select “Add…“.

From this screen, you can either navigate to an existing group or enter the name of the group directly. Type Administrators , and hit Enter. Then hit Apply to submit your change.

Now, this user has Administrative rights.

To perform this action in Powershell (elevated) run the following command:

Add-LocalGroupMember -Group "Administrators" -Member "username"

Resetting a user’s password:

To reset a user’s password open the local user management snap-in:

Start→ Run → lusrmgr.msc.

Select the Users folder from the left-hand navigation pane.

Right-click on the user’s name and select Set Password.

Enter the user’s new password and select OK.

To perform this action in Powershell (elevated) run the following command:

$Password = Read-Host -AsSecureString
Set-LocalUser -Name "username" -Password $Password

Managing Local Users on Windows Server 2016

To view, edit, or add new local user accounts, open the local user management snap-in. This can be accessed quickly using the “Run” command (windows key +R), Start → Run. Then enter lusrmgr.msc.

It’s best practice to use standard user accounts as opposed to a privileged/administrative account for day to day access. Standard local users can leverage User Account Control, “UAC” prompts to input admin credentials where necessary. This limits your administrative user accounts exposure to attack and/or malware.

Creating a new local user:

To create a local user account, open local user management snap-in:

Start→ Run → lusrmgr.msc.

Select the Users folder from the left-hand navigation pane.

Select More Actions from the right-hand Action pane, then New User…

Once the new user dialog pops you can enter the relevant information for that user, i.e. First and Last name, etc.

If you select the option User must change password at next login, whatever password you enter at this point will become a temporary password, as they will be required to enter a new password when they first sign in.

Once you have entered all of the necessary information for your new user, hit Create.

To perform this action in Powershell (elevated) run the following command:

> New-LocalUser -Name "User03" -FullName "Third User" -Description "Description of this account."

*In the above command example Full Name and Description fields are not required.

Granting administrative rights to a user:

To create a local user account, open local user management snap-in:

Start→ Run → lusrmgr.msc.

Select the Users folder from the left-hand navigation pane.

Open the properties panel for the user you would like to modify (right-click → properties)

Select the “Member Of” tab, and then select “Add…“.

From this screen, you can either navigate to an existing group or enter the name of the group directly. Type Administrators , and hit Enter. Then hit Apply to submit your change.

Now, this user has Administrative rights.

To perform this action in Powershell (elevated) run the following command:

Add-LocalGroupMember -Group "Administrators" -Member "username"

Resetting a user’s password:

To reset a user’s password open the local user management snap-in:

Start→ Run → lusrmgr.msc.

Select the Users folder from the left-hand navigation pane.

Right-click on the user’s name and select Set Password.

Enter the user’s new password and select OK.

To perform this action in Powershell (elevated) run the following command:

$Password = Read-Host -AsSecureString
Set-LocalUser -Name "username" -Password $Password

Set up a Golden Image for Disaster Recovery and Scaling

Golden images allow users to rapidly deploy additional nodes to a service, as well as provide a baseline to build a disaster recovery plan.  Golden images are **not** full backups, nor are they meant to be a one-stop-shop for emergencies.  Rather they are meant to be a supplementary tool in order to recover from issues quicker and scale rapidly as needed.

What is a golden image?

Simply put, a golden image is a copy of a working server intended to provide a baseline of installed applications and services during a build-out or recovery scenario.  It is important to note that up-to-date data regarding those services and applications is not included in a golden image.  These images are meant to simply get the working ‘bones’ of a server in place, to allow other systems to fill in the ‘muscle’ (your data) later.  

What is the advantage of a golden image?

Golden images allow for two key advantages.  The first is speed.  Creating a server from an image with the necessary applications and services already installed and configured is often much faster than spinning up a fresh server and starting from scratch installing everything.  It also means less headaches and mistakes made during a scenario where time is critical and techs are stressed, such as during an emergency outage.

Speed also comes in to play here with the time to restore services.  If a user were to use a ‘regular’ image instead, it may contain much more data and thus take longer to create a server from.  Often times, a combined method of a golden image + a backup system restore is quicker than trying to lump the applications and the data together in one massive restore or image.

The second advantage is convenience and accuracy.  Once a golden image is created and tested to ensure it is working as intended, it will work that same way until updated or replaced with a new image.  This means in the event that a server needs to be replaced or restored that a vetted working device will be put in its place and you know exactly what to expect of the replacement device.

Creating a golden image

Creating a golden image is pretty straightforward, as it is essentially the same process as taking a regular server image of any server.  However, the differentiator for a golden image is it is meant to only backup the server’s applications and services and their configurations.  Any data included on a golden image will reduce its effectiveness as the image is meant to be as lightweight as possible to speed up recovery times.

As such the recommended process for creating a golden image is to start from a fresh new server.  Take this server, and configure it with the applications and services you would place on one of your production servers.  Once you have everything installed and configured, you would normally add a copy of the most recent data and then add it into your node rotation.  However, in this case, we want to take an image of the server before data is added.

The newly created image should be a working golden image, but it is recommended to test the image prior to including it in your build out and disaster recovery plans.  A test of the image can be considered valid if you can spin up a server from it, restore data, and the server works as intended for the pool it would be entering. 

If additional steps are needed for any reason, you may wish to perform them and re-image to include them ahead of time. Be careful not to include any test data in the image if tweaks are needed, as this will bloat the image and cut down on the speed advantage a golden image provides.

Repeat the above process to create additional golden images for the various server roles in your environment.  Once done you should have a set of images that allow you to recover faster from emergencies as well as ease the pain of building out additional resources for an environment.

How to set up an SSH key in PuTTY

Creating an SSH key in Windows is simple. Before beginning, be sure that you have downloaded PuTTY and PuTTYge’s .msi files to your Windows machine.

Run through the installation of each application and start PuTTYgen. You should see this screen:

In most cases, the key will have sufficient security by using the pre-selected parameters. However, if you have specific requirements you have the option to select them on this screen.

From here, click Generate to begin the creation of your SSH key. PuTTYgen will ask you to generate some randomness by moving your mouse cursor in the blank area.

Once your key is created, copy the entire key displayed in the box, as you see here:

Next, enter a passphrase for your SSH key to prevent anyone who may get your private key from being able to use it without the passphrase. Click the save private key button.

Now, you can use your public and private keys in all sorts of applications like GitHub, OpenSSH, or your Cloud Servers.