AWS WordPress 2: Improve Security

Overview

This post is the second of a 5-post series with step-by-step procedures that I followed recently to setup WordPress on AWS for this version of the website. In this post, some basic security improvements are made to the AWS instance.

Adding an Alternate User for SSH:

If not logged in, then log into AWS SSH as ubuntu (default user). Create a second user (replace ‘user2’ with your username of choice) and create the account password for user2. Just hit return on all the info requests (i.e., full name, room number, work phone, home phone, other).

sudo adduser user2

Add the new user to the admin group:

sudo adduser user2 admin

Add the new users to the sudo group by editing the ‘sudoers’ file:

sudo nano /etc/sudoers

Use the arrow keys to locate the right place, add the following line in the ‘user privileges’ section. Then, ctrl-x, y to save, and return to save.

user2 ALL=(ALL) NOPASSWD:ALL

Since SSH access to an EC2 instance uses keys, keys need to be created for ‘user2’. Both the public and private keys will be created on EC2 and securely copied to my MBP. Switch to the new ‘user2’ account from the Ubuntu account and change to the user2 home directory:

su user2
cd ~

Create a .ssh directory and modify its permissions:

mkdir .ssh
chmod 700 .ssh

Change to the .ssh directory and create a default (RSA 2048) key pair:

cd .ssh
ssh-keygen

A filename will be requested for the key file. It should be something like: ‘id_user2’. Press the return key when prompted about the passphrase.

Enter the following command to view these two files and their file properties:

ls -alst

Two files were created id_user2 (private key) and id_user2.pub (public key). Copy the public key to an ‘authorized_keys’ file since this is a new EC2 instance:

cp id_user2.pub authorized_keys

Clean up the permissions on these files:

chmod 600 ~/.ssh/*

Now, the files need to be copied to the local computer (e.g., my development MBP). Create a temporary directory, copy the key files (for downloading), and modify permissions:

sudo mkdir /tmp2
sudo cp ~/.ssh/* /tmp2
sudo chmod 644 /tmp2/*

Setup user2 in the ssh config file:

sudo nano /etc/ssh/sshd_config

Either change the AllowUsers line or add it:

AllowUsers ubuntu user2

Then, ctrl-x, y to save, and return to save.

Restart the ssh service:

sudo systemctl restart sshd.service

Exit out of AWS remote terminal using ‘exit’ commands (once to exit from user2, second time to exit from Ubuntu and close the AWS SSH connection).

Now, the keys need to be downloaded to the local machine (i.e., client, MBP). But, first: Other keys may have been previously stored in the .ssh directory on the local machine. The following command will check if any previous key files exist:

cd ~/.ssh
ls –alst

If the ‘authorized_keys’ file already exists in the .ssh folder on the local machine, it must be renamed (‘authorized-keys-old’) prior to the download. Otherwise, it may be overwritten. From within the .ssh directory:

cp authorized_keys authorized_keys_old

Download the 3 key files from EC2 using the Elastic IP address:

scp –i ~/.ssh/example_ami_key.pem ubuntu@xx.xx.xx.xx:/tmp2/* ~/.ssh

Add the old keys from ‘authorized_keys_old’ into the ‘authorized-keys’ file that was just downloaded:

cat authorized_keys_old >> authorized_keys

Change the permissions on the ‘id_user2’ and ‘id_user2.pub’ files:

chmod 400 id_user2
chmod 400 id_user2.pub

Test the new connection from the terminal window on the MBP:

ssh –i ~/.ssh/id_user2 user2@xx.xx.xx.xx

If the connection is successful, then remove files from /tmp2 and the folder itself:

cd /tmp2
sudo rm authorized-keys
sudo rm id_user2
sudo rm id_user2.pub
cd ..
sudo rm –d /tmp2

Removing Ubuntu login access:

It is a good practice from a security perspective, to remove SSH access for Ubuntu default user (root) logins.
Log in as ‘user2’ to edit the sshd-config file:

sudo nano /etc/ssh/sshd-config

Remove Ubuntu from the line:

AllowUsers user2

Modify, if needed, the following line:

PermitRootLogin no

Then, ctrl-x, type y, and return to save.
Restart the ssh service:

sudo systemctl restart sshd.service

That’s it. Linux Ubuntu instance is established and running, alternate user is established, keys have been created.

2017-08-07T14:01:13+00:00 By |Amazon Web Services, Wordpress|0 Comments

Leave A Comment