In this post, I will show you how to create, configure and secure a Virtual Private Server (VPS) on Amazon Web Services (AWS) Lightsail.
Creating a VSP instance
First up, go to the Amazon website for Lightsail and sign up for an account if you don’t already have one.
On your Home page, click on “create instance”. For this post, I’ve selected OS only and Ubuntu 18.
Once you’ve created a VSP instance, click on the 3 dots icon and select Manage. In the Networking tab, click on “create static IP”. This way you’ll be able to stop/start the instance without losing the IP that was assigned to it.
Downloading the SSH key
The next step is to download our SSH key so we can use SSH to remote in our server. So, go to your account‘s page (toolbar on top) and, on the SSH Keys tab, download the key.
Put the key in you home directory under the .ssh subdirectory (by convention)
Example:
1 | c:/users/denis/.ssh/myKey.pem |
To connect with an ssh client (I use GIT bash), enter the following line:
1 | ssh [user]@[IP address] -p [port] -i [full path to ssh key] |
Example:
1 | ssh ubuntu@3.89.214.99 -p 22 -i c:/users/denis/.ssh/myKey.pem |
Getting the server up-to-date
Prepare the list of updates from the package lists:
1 | sudo apt-get update |
Then actually preform the update:
1 | sudo apt-get upgrade |
NOTE: For the sshd config change question, I normally select install the package maintainer’s version
Package no longer required?
1 | sudo apt-get autoremove |
Install finger (optional)
1 | sudo apt-get install finger |
Adding a new user
In this example, we will create a user named technomuch
1 | sudo adduser technomuch |
Set the new password and general information for the new user.
Now, let’s add sudo capabilities to our new user by copying the default file
1 | sudo cp /etc/sudoers.d/90-cloud-init-users /etc/sudoers.d/technomuch |
After that, edit and change “ubuntu” to “technomuch” (I use the nano text editor)
1 | sudo nano /etc/sudoers.d/technomuch |
Create an SSH key to use for our new user
On the client side (local), create a new SSH key from ssh-keygen.
NOTE: on Windows, I used the GIT Bash to create the SSH key pair.
1 | ssh-keygen |
Then enter the name of a name for the key that you will create. After that, you’ll be asked to set a passphrase to protect the key.
Two files will be created: a file without an extension and a “.pub” file. The “.pub” file is the public key that we will eventually copy to our sever and the other is our private key that you should never share with anyone.
SSH set up
We will now create the SSH authorized keys file, set its permissions and finally, change its ownership.
1 | sudo mkdir /home/technomuch/.ssh |
Now that we have the file, you’ll need to copy/paste the content of the xxxx.pub file that we’ve just created using the ssh-keygen software.
1 | sudo nano /home/technomuch/.ssh/authorized_keys |
Use the console to reboot
PS: Public key file format
The values in the xxx.pub file should be on one line and look like this:
1 | ssh-rsa AAAAB3<...very long string...>Tx5I55KMQ== rsa-key-20200820 |
But, if you have generated the key using another tool like PuTTYgen, you may get a key looking like this:
1 | ---- BEGIN SSH2 PUBLIC KEY ---- |
If so you can always reformat it like this ssh-rsa <SSH Public key> <comment> all in one line.
Or, better yet, reopen the private key with PuTTYgen by clicking “Load” and selecting the file. You should then see the public key in the text field titled “Public key for pasting into OpenSSH authorized_keys file” (quite descriptive…).
Alternative
You could have created the authorized_keys file and the .ssh folder with the technomuch’s account directly.
In order to do so, you would have needed to enable password authentication while you are doing the work.
To enable password authentication, you would have needed to edit the file:
1 | sudo nano /etc/ssh/sshd_config |
And change the line “PasswordAuthentication no” to “PasswordAuthentication yes”
Just don’t forget to turn it back to no when you’re done.
Login using SSH key
Now, you should be able to use the private key to login:
1 | ssh technomuch@3.89.214.99 -p 22 -i c:/users/denis/.ssh/generatedKey |
Change the SSH port from 22 to 2200
ATTENTION: After this step, you’ll no longer be able to use the online SSH option offered by amazon. Trying to login via the “Connect using SSH” button will just hang as it will still try to use the port 22 for SSH which our sever no longer uses.
Make sure you update the LightSail firewall by creating a custom rule for TCP port 2200 (Networking tab of the instance)
While you are at it, add the custom UDP 123 (NTP)
We will now configure SSH to use the port 2200 by editing the SSH config file:
1 | sudo nano /etc/ssh/sshd_config |
And, uncomment Port 22 and change to Port 2200
Use the console to reboot
Now, you can ssh in on port 2200
1 | ssh technomuch@3.89.214.99 -p 2200 -i c:/users/denis/.ssh/generatedKey |
Make sure that secure the server by enabling a firewall
Deny all incoming traffic, then open some ports
1 | sudo ufw default deny incoming |
Firewall status (already installed by default but inactive…)
1 | sudo ufw status |
Summary
So, in retrospect, we’ve created a server instance, and updated any packages to the latest version.
we’ve created a new user and gave it sudo capabilities.
We’ve created a new SSH key and set our new user with the public key.
After changing the SSH port from 22 to 2200, we’ve enable a firewall.
That’s it, you should now be running a secure AWS VPS! Congratulation!