Create a new superuser and block root from ssh access

  1. useradd deploy

    We named our new user deploy you should name it whatever you want, just remember to make the appropriate changes. Once we have our new user let’s create a home directory for it!

  2. mkdir /home/deploy
    chown deploy:deploy /home/deploy -R

    We created a new directory for our user and add it as owner so she can freely work inside her home directory.Finally let’s create a password for our deploy user

     passwd deploy
  3. Let’s configure the users who can use sudo:
    sudo visudo

    Comment out all existing grant lines and add the following at the end of the file:

    root ALL=(ALL) ALL
    deploy  ALL=(ALL) ALL
    

    (only keep the lines at top that starts with Default)

  4. Save and exit. Now only root and deploy can use sudo. Another change we should make now is disallow root login though ssh, for this edit the /etc/ssh/sshd_config filefor editing:
    sudo nano /etc/ssh/sshd_config
    

    and add the following at the end:

    PermitRootLogin no
    
    
  5. Finally restart the ssh service so it loads the changes
    changeservice ssh restart
    

    wait until the terminal starts blinking again before continueing. give it a couple of minutes!
    So far so good! Let’s log out root and ssh as deploy instead, from now on we’ll work with that user.

    $ exit
    ssh deploy@ip
    

    IF you mess any of this up and now locked yourself out from the server, don’t panic!
    Simply login to your droplet from digitalocean.com and use the webconsole there to configure back things correctly!

Add your comment