AWS WordPress 2: Improve Security

Overview

This post is the second of a 6-post series with step-by-step procedures that I followed recently to setup WordPress on AWS for this version of the website. In this post, some basic security improvements are made to the AWS instance.

Note: If your AWS instance is a simple instance to experiment with simple website development, this second part in the series can be skipped without any concern. Access as ‘ubuntu’ via SSH to the AWS instance is still based on encrypted keys, not passwords.

Adding an Alternate User for SSH:

Note: Logged into AWS

If not logged in, then log into AWS SSH as ubuntu (default user) via a command line interface (e.g., terminal on the Mac or PuTTY on Windows) as described in Part 1. Create a second user (replace user2 with your username of choice) and create the account password for user2 that will be used with sudo commands. Just hit return on all the info requests (i.e., full name, room number, work phone, home phone, other).

sudo adduser user2

Add the new user to the admin group:

sudo adduser user2 admin

Add the new users to the sudo group by editing the ‘sudoers’ file:

sudo nano /etc/sudoers

Use the arrow keys to locate the right place in the file and add the following line in the ‘user privileges’ section. Then, ctrl-x, y to save, and return to save.

user2 ALL=(ALL) NOPASSWD:ALL

Since SSH access to an EC2 instance uses keys, keys need to be created for user2. Both the public and private keys will be created on EC2 and securely copied to the local computer that is being used to access this AWS instance via SSH. Switch to the new user2 account from the Ubuntu account and change to the user2 home directory:

su user2
cd ~

Create a .ssh directory and modify its permissions:

mkdir .ssh
chmod 700 .ssh

Change to the .ssh directory and create a default (RSA 2048) key pair:

cd .ssh
ssh-keygen

A filename will be requested for the key file. It should be something like: ‘id_user2’. Press the return key when prompted about the passphrase.

Enter the following command to list these two files and their file properties:

ll

Two files were created id_user2 (private key) and id_user2.pub (public key). Copy the public key to an ‘authorized_keys’ file since this is a new user and ‘authorized_keys’ shouldn’t exist yet:

cp id_user2.pub authorized_keys

Clean up the permissions on these files:

chmod 600 ~/.ssh/*

Before the files can be copied to the local computer that is being used to access the AWS instance via SSH, we need to do some prep work on the AWS instance to allow access to these files from from our local computer. Create a temporary directory, copy the key files (for downloading), and modify permissions:

sudo mkdir /tmp2
sudo cp ~/.ssh/* /tmp2
sudo chmod 644 /tmp2/*

Setup user2 in the ssh config file:

sudo nano /etc/ssh/sshd_config

Either change the AllowUsers line or add it:

AllowUsers ubuntu user2

Then, ctrl-x, y to save, and return to save.

Restart the ssh service:

sudo systemctl restart sshd.service

Exit out of AWS remote terminal using ‘exit’ commands (once to exit from user2, second time to exit from Ubuntu and close the AWS SSH connection).

Note: Logged out of AWS

Note: Logged into Local Computer

Now, the keys need to be downloaded to the local machine to access the AWS instance via SSH as user2. The process is different depending on whether your local computer is a Mac or Windows PC.

Other keys may have been previously stored in the .ssh directory on the local Mac computer. The following command will check if any previous key files exist:

cd ~/.ssh
ls –alst

If the ‘authorized_keys’ file already exists in the .ssh folder on the local machine, it must be renamed (‘authorized-keys-old’) prior to the download. Otherwise, it will be overwritten. From within the .ssh directory:

cp authorized_keys authorized_keys_old

Download the 3 key files from EC2 using the Elastic IP address for this AWS instance:

scp –i ~/.ssh/example_ami_key.pem ubuntu@xx.xx.xx.xx:/tmp2/* ~/.ssh

Add the old keys from ‘authorized_keys_old’ into the ‘authorized-keys’ file that was just downloaded:

cat authorized_keys_old >> authorized_keys

Change the permissions on the ‘id_user2’ and ‘id_user2.pub’ files:

chmod 400 id_user2
chmod 400 id_user2.pub

Test the new connection to the AWS instance as user2 from the terminal window on the MBP:

ssh –i ~/.ssh/id_user2 user2@xx.xx.xx.xx
Downloading the key files from AWS to a Windows PC is accomplished with PSFTP which is one of the software programs that was created during the installation process with PuTTY. Start PSFTP. For PSFTP to access the AWS instance as ‘ubuntu’, we can use the same saved session from PuTTY. Enter the following command replacing the name of your saved session if it is different from the example:

open "windows aws"

We need to coordinate directories (or folders) on both AWS instance and the local Windows PC before the transfer of the two key files.
Change the directory on AWS to ‘/tmp2’:

cd /tmp2

Change the local directory on the Windows PC (replacing as appropriate):

lcd c:\Users\<your username>\Downloads

To download the two key files, enter the following commands:

get id_user2
get id_user2.pub

As before, the private key ‘id_user2’ needs to be converted to a ‘*.ppk‘. Here are the steps:

  • Generate a compatible private key file: The private key file ‘id_user2‘ needs to be converted to a ‘*.ppk‘ by PuTTYgen. Start PuTTYgen. Set the ‘Type of key to generate:‘ to RSA and the ‘Number of bits in a generated key:‘ to 2048. Then, click on ‘Load‘ to load the recently downloaded private key file. Since the file type we are looking for has no file suffix, select ‘All Files (*.*)‘ so that it will be visible. Then, go to the ‘Downloads’ folder and select ‘id_user2‘ and click ‘OK‘ on the displayed notice. Click ‘Save private key‘ and click ‘Yes‘ to confirm saving without a passphrase key. Then, save the ‘id_user2.ppk‘ in the same folder as the ‘id_user2‘ file. Close ‘PuTTYgen‘ software program.

Now, let’s configure PuTTY to access AWS as user2:

  • Configure settings: Start PuTTY. In the left pane, select ‘Connection -> SSH -> Auth‘. Click on ‘Browse‘ and select the ‘id_user2.ppk‘ as shown in the following screenshot.

  • Then, in the left pane, select ‘Session‘. In the right pane, confirm or select ‘SSH‘, port is 22, and type in the ‘user2@‘ followed by the ‘Elastic IP‘ associated with this instance. At this point, type in a name for ‘Saved Sessions‘ (e.g., windows aws user2) and click ‘Save‘ as shown in the following screenshot.

  • Now for the final step. To access the instance via SSH using PuTTY, load a saved session and click on ‘Open‘ (may need to confirm ‘yes’ on initial login using this IP address). A successful login screen to the AWS instance from PuTTY will look similar to the following snapshot. Note that the user is now user2 and not ubuntu

  • Type ‘exit’ to quit the SSH connection to AWS which will also close PuTTY.

Note: Logged into AWS

If the connection to AWS as user2 is successful, then remove files from /tmp2 and the folder itself:

cd /tmp2
sudo rm authorized-keys
sudo rm id_user2
sudo rm id_user2.pub
cd ..
sudo rm –d /tmp2

Removing Ubuntu login access:

It is a good practice from a security perspective, to remove SSH access for Ubuntu default user (root) logins.
Log in as user2 to edit the sshd_config file:

sudo nano /etc/ssh/sshd_config

Remove ubuntu from the line:

AllowUsers user2

Modify, if needed, the following line:

PermitRootLogin no

Then, ctrl-x, type y, and return to save.
Restart the ssh service:

sudo systemctl restart sshd.service

That’s it. Linux Ubuntu instance is established and running, alternate user is established, keys have been created.

2018-03-29T17:45:53+00:00By |Amazon Web Services, Wordpress|

Leave A Comment