Updated: November 2020

Overview

This post is the second part of a 6-post series with step-by-step procedures that I use to setup a simple WordPress website on AWS. In this post, some basic security improvements are made to the AWS instance.

Note: The original version for this series was written in 2016 with EC2 servers running Ubuntu 16.04. This series has been completely updated in late 2020. An example website, Seattle Hobbies, will be used throughout this series. The development of the Seattle Hobbies website assumes a simple low-maintenance website with low visitor count with no auto-scaling or redundancy. As such, implementation and configuration are easy. I will most likely seek the support of web-dev experts if I want to establish a sophisticated website that handles commerce or significant traffic with lots of site visitors.

Adding an Alternate User for SSH:

Note: Logged into AWS

If not logged in, then log into AWS SSH as ubuntu (default user) via a command line interface (e.g., terminal on the Mac or PuTTY on Windows) as described in Part 1.

Create a second user (replace user2 with your username of choice) and create the account password for user2 that will be used with sudo commands. Just hit return on all the info requests (i.e., full name, room number, work phone, home phone, other).

sudo adduser user2

Add the new user to the admin group:

sudo adduser user2 admin

Add the new users to the sudo group by editing the ‘sudoers’ file:

sudo nano /etc/sudoers

Use the arrow keys to locate the right place in the file and add the following line in the ‘User privilege specification’ section. Then, ctrl-x, y to save, and return to save.

user2 ALL=(ALL) NOPASSWD:ALL

Since SSH access to an EC2 instance uses keys, keys need to be created for user2. Both the public and private keys will be created on EC2 and securely copied to the local computer that is being used to access this AWS instance via SSH. Switch to the new user2 account from the Ubuntu account and change to the user2 home directory:

su user2
cd ~

Create a .ssh directory and modify its permissions:

mkdir .ssh
chmod 700 .ssh

Change to the .ssh directory and create a default (RSA 2048) key pair:

cd .ssh
ssh-keygen

A filename will be requested for the key file. It should be something like: ‘id_user2’. Press the return key when prompted about the passphrase.

Enter the following command to list these two files and their file properties:

ll

Two files were created id_user2 (private key) and id_user2.pub (public key). Copy the public key to an ‘authorized_keys’ file since this is a new user and ‘authorized_keys’ shouldn’t exist yet:

cp id_user2.pub authorized_keys

Clean up the permissions on these files:

chmod 600 ~/.ssh/*

Before the files can be copied to the local computer that is being used to access the AWS instance via SSH, we need to do some prep work on the AWS instance to allow access to these files from our local computer. Create a temporary directory, copy the key files (for downloading), and modify permissions:

sudo mkdir /tmp2
sudo cp ~/.ssh/* /tmp2
sudo chmod 644 /tmp2/*

Setup user2 in the ssh config file:

sudo nano /etc/ssh/sshd_config

Either change the AllowUsers line or add it:

AllowUsers ubuntu user2

Then, ctrl-x, y to save, and return to save.

Restart the ssh service:

sudo systemctl restart sshd.service

Exit out of AWS remote terminal using ‘exit’ commands (once to exit from user2, second time to exit from Ubuntu and close the AWS SSH connection).

Note: Logged out of AWS

Note: Logged into Local Computer

Now, the keys need to be downloaded to the local machine to access the AWS instance via SSH as user2. The process is different depending on whether your local computer is a Mac or Windows PC.

Other keys may have been previously stored in the .ssh directory on the local Mac computer. The following command will check if any previous key files exist:

cd ~/.ssh
ls –alst

If the ‘authorized_keys’ file already exists in the .ssh folder on the local machine, it must be renamed (‘authorized-keys-old’) prior to the download. Otherwise, it will be overwritten. From within the .ssh directory:

cp authorized_keys authorized_keys_old

Download the 3 key files from the \tmp2 folder on EC2 using the Elastic IP address (e.g., 44.242.122.237) for this AWS instance. Note: The following scp command assumes the default macOS zsh.

scp -i ~/.ssh/seattlehobbies.pem ubuntu@44.242.122.237:/tmp2/\* ~/.ssh

Add the old keys from ‘authorized_keys_old’ into the ‘authorized-keys’ file that was just downloaded:

cat authorized_keys_old >> authorized_keys

Change the permissions on the ‘id_user2’ and ‘id_user2.pub’ files:

chmod 400 id_user2
chmod 400 id_user2.pub

Test the new connection to the AWS instance as user2 from the terminal window on the MBP (e.g., seattlehobbies.com):

ssh –i ~/.ssh/id_user2 user2@seattlehobbies.com
Downloading the key files from AWS to a Windows PC is accomplished with PSFTP which is one of the software programs that was created during the installation process with PuTTY. Start PSFTP. For PSFTP to access the AWS instance as ‘ubuntu’, we can use the same saved session from PuTTY. Enter the following command replacing the name of your saved session if it is different from the example:

open "seattlehobbies"

We need to coordinate directories (or folders) on both AWS instance and the local Windows PC before the transfer of the two key files.
Change the directory on AWS to ‘/tmp2’:

cd /tmp2

Change the local directory on the Windows PC (replacing as appropriate):

lcd c:\Users\<your username>\Downloads

To download the two key files, enter the following commands:

get id_user2
get id_user2.pub

As before, the private key ‘id_user2’ needs to be converted to a ‘*.ppk‘. Here are the steps:

  • Generate a compatible private key file: The private key file ‘id_user2‘ needs to be converted to a ‘*.ppk‘ by PuTTYgen. Start PuTTYgen. Set the ‘Type of key to generate:‘ to RSA and the ‘Number of bits in a generated key:‘ to 2048. Then, click on ‘Load‘ to load the recently downloaded private key file. Since the file type we are looking for has no file suffix, select ‘All Files (*.*)‘ so that it will be visible. Then, go to the ‘Downloads’ folder and select ‘id_user2‘ and click ‘OK‘ on the displayed notice. Click ‘Save private key‘ and click ‘Yes‘ to confirm saving without a passphrase key. Then, save the ‘id_user2.ppk‘ in the same folder as the ‘id_user2‘ file. Close ‘PuTTYgen‘ software program.

Now, let’s configure PuTTY to access AWS as user2:

  • Configure settings: Start PuTTY. In the left pane, select ‘Connection -> SSH -> Auth‘. Click on ‘Browse‘ and select the ‘id_user2.ppk‘ as shown in the following screenshot.

  • Then, in the left pane, select ‘Session‘. In the right pane, confirm or select ‘SSH‘, port is 22, and type in the ‘user2@‘ followed by the ‘Elastic IP‘ associated with this instance. At this point, type in a name for ‘Saved Sessions‘ (e.g., windows aws user2) and click ‘Save‘ as shown in the following screenshot.

  • Now for the final step. To access the instance via SSH using PuTTY, load a saved session and click on ‘Open‘ (may need to confirm ‘yes’ on initial login using this IP address). A successful login screen to the AWS instance from PuTTY will look similar to the following snapshot. Note that the user is now user2 and not ubuntu

  • Type ‘exit’ to quit the SSH connection to AWS which will also close PuTTY.

Note: Logged into AWS

If the connection to AWS as user2 is successful, then remove files from /tmp2 and the folder itself:

cd /tmp2
sudo rm authorized-keys
sudo rm id_user2
sudo rm id_user2.pub
cd ..
sudo rm –d /tmp2

Removing Ubuntu login access:

It is a good practice from a security perspective, to remove SSH access for Ubuntu default user (root) logins.
Log in as user2 to edit the sshd_config file:

sudo nano /etc/ssh/sshd_config

Remove ubuntu from the line:

AllowUsers user2

Modify, if needed, the following line:

PermitRootLogin no

Then, ctrl-x, type y, and return to save.
Restart the ssh service:

sudo systemctl restart sshd.service

Updates to Ubuntu:

With a new instance, it is time to apply any updates to Ubuntu 20.04 that may be needed. Follow the steps in A Collection of AWS EC2 Ubuntu Tips, Section: Updates to Ubuntu.

That’s it. Linux Ubuntu instance is established and running, alternate user is established, keys have been created, and Ubuntu updates have been applied.