Best Practices for Linux and Minecraft Hosting
While this article is constantly checked to ensure all commands are non-malicious, this article can be edited by all members. Some members may have malicious intent, to ensure you always maintain access to your server, after making changes never disconnect from the session the changes were made in until you confirm that you are able to log in to a new session, this prevents you locking yourself out either from a malicious change or an accident on your part. If during your attempt to log in to a new session you find yourself unable to connect, using the established session attempt to revert all completed changes.
So, you just got your new Linux server and only know the basics to it, great! It's always nice to see people learning Linux.
Protip: Get into good habits early, prevents having to correct bad habits later IE using root to login.
Update your system!:
Sometimes when you get a server (dedicated or VPS) the software running on it could be outdated. Updating is easy and will make sure you have the latest features and security fixes.
For Ubuntu/Debian based distribution:
Code (Text):apt-get update
apt-get -y dist-upgrade
Code (Text):yum update
Add your own user:
The second thing you must always do is add your own user account. Using purely root is the biggest mistake all new admins make. root is the single most powerful account on your system and if someone compromises it, you might as well wave goodbye to it all.
Code (Text):adduser <name>
Code (Text):adduser cbryars
Code (Text):passwd <name>
Code (Text):passwd cbryars
Now you're probably thinking "So if I can't login as root, how am I to do actions like update or add new packages?" The answer is sudo. Sudo allows you to change to another user, run applications as other users and so on.
So, first we need to install sudo, if it's not already installed.
For Ubuntu/Debian based distribution:
Code (Text):apt-get install sudo
Code (Text):yum install sudo
Code (Text):usermod -a -G admin <name>
Code (Text):usermod -a -G admin cbryars
Quick tutorial to sudo!
When you're logged into your user you'll want to change users a lot (trust me, it's a godsend) for that you'll want to use sudo -su, for example:
Code (Text):sudo -su minecraft
All things you run while under sudo -su will be run AS THAT USER, so if you say run java, the process will be under the user minecraft!
So say you want to get to root, this is even easier:
Code (Text):sudo -s
If you wish to leave a sudo -su/sudo -s'd shell and get back to your normal user account, just run the command:
You are a bad source of entropy. Passwords are not particularly secure, even if you utilize fail2ban or similar software. For better security, you'll want to use SSH keys.
As you've probably already have git installed, I'll spare you some time.
If on Windows, open your command prompt and run
In most cases, the command will tell you where the private and public keys are stored. Use the concatenate command (cat) to output your public key file, It should look a bit like this:
Code (Text):ssh-rsa AAA.......
Let's create the authorized_keys file and add our public key:
cat "ssh-rsa AAA..." >> ~/.authorized_keys
chmod 644 ~/.ssh/authorized_keys
Now it's time to disable password authentication.
The simplest way is to run these commands:
sed -i 's|[#]*PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
sed -i 's|UsePAM yes|UsePAM no|g' /etc/ssh/sshd_config
Code (Text):vi /etc/ssh/sshd_config
Modify your SSHd config:
Now you're probably thinking "Why would I need to do this? It works, right?" and you'd be right, however a nice touch always is changing a few basic things to boost your security.
First of all disable root.
You have no idea how many times I have to tell people, disable the root account, you have sudo so why would you need to login as root?
First of all, open up your sshd config:Code (Text):nano /etc/ssh/sshd_configCode (Text):PermitRootLoginCode (Text):PermitRootLogin yesCode (Text):PermitRootLogin no
Next step in the same file is to change the port.
This is purely optional but it does prevent a lot of annoying bruteforce logs in your /var/log/auth.log
Look forCode (Text):Port 22
Change it to some memorable number; for examples sake, 2421, all you change it to isCode (Text):Port 2421
IF YOU DO CHANGE THE PORT, REMEMBER IT. YOU'LL NEED IT TO LOG INTO SSH AGAIN.
Then once you've done all that just simply do:
For Ubuntu/Debian based distribution:Code (Text):service ssh restartCode (Text):service sshd restart
Help! I just logged out and now I can't log in again as root!
As I went over before, you disabled root! Just login as the new user you created, once you do that if you need to get to say the root user, just doCode (Text):sudo -s