Before you do anything you need to update your VM. A new Ubuntu VM will typically come with just the basics of software installed. In order to secure the VM, we will need to install certain software.
Installing software on a Linux cloud-hosted VM is very easy. To do this you typically use one of a number of dependency package management system such as composer (the dependency management system for PHP which is described in the section on using 3rd party components). There are a number of popular dependency package management systems which are popular on Linux such as Yum and apt. We will use apt. Before we can go any further with apt we need to make sure our VM is up to date with all the latest packages on which our VM depends. To do this type
sudo apt update
This will take a few minutes.
In order to secure our VM we will have to generate a public/private key pair. To do this we will use ssh-keygen. This is a command-line tool built-in to Linux which allows for the generation of key pairs. To generate your keys type:
You will be prompted for filenames to use to store the key files. You can just press enter here to choose the default filenames. You will also be prompted to enter a pass-phrase to further protect your key. If you are confident you can maintain your key file stored in a secure location this might not be that important. Click enter to leave the pass-phrase blank here.
ssh-keygen generates keys in the PEM style whereas the ssh-client we will use, putty, uses PPK style keys. To convert this file we will need to install putty-tools - type
sudo apt install putty-tools
Folders starting with a dot are hidden on Linux but you can see them with the right command switches type
This will display all the folders in your current folder. Change directory into the folder containing your newly generated keys
Type ls -al again. This will list the files in the folder. These are your newly generated key files for the root user. Every user on Linux has a home folder. If there is a .ssh folder within the home folder containing a file called authorized_keys then the operating system will attempt to validate the account using this public/private key pair. The authorized_keys file should contain the public key file which is the encrypted pair match of the private key file. The only way someone can gain access to that account is if their ssh login process attempts to use the private key which corresponds to the public key contained in the authorized_keys file. Depending on the OS, and the version of ssh-keygen you are using, the authorized_keys file may or may not have been created. The other two files present are normally id_rsa, the private key and id_rsa.pub the public key. If the authorized key file is not there then go ahead and create it by copying the id_rsa file as follows.
cp id_rsa.pub authorized_keys
The following command will convert your PEM style key into a PPK format which can be used with putty on Windows.
sudo puttygen id_rsa -o newPhalconVM.ppk
I've called this new private key file newPhalconVM.ppk but you can choose something more meaningful to you. I generally name my key files after my server. When you have come to love Linux as much as I do you will need to be able to readily identify your keys in the multitude of keys you possess.
Now that you have a ppk file you can use it to login using putty without using a password. If you are familiar with WinSCP you can download this file. To avoid having to download the file you can view the file in the terminal window and copy and paste the text of the file into a Windows editor such as Notepad++. This file can then be saved to a secure location on your Windows PC and used with putty to login.
To do this - stretch the window of your terminal to a large size and display the entire contents of the screen by typing
Select all the text from the window and right-click on the selected text. This will copy the text to the paste buffer. Open notepad on Windows and paste the file contents in. Save the file locally to a secure location as newPhalconVM.ppk.
Now open putty. Open your saved session which contains the correct IP address of your VM.
Select Connection - SSH - Auth from the Category section as follows:
Click the Browse button to find your locally scored ppk file.
Now the next time you login you will not be required to give a password.
The final important step necessary to secure your VM is to disable password authentication so the only way to login is to use public-private key encryption. This will massively reduce the risk of your server being hacked.
To do this you will need to edit a config file. Linux users generally have their preferred editors and will happily debate the merits of their preferred editors. Personally I prefer vi for the simple reason that it's the one I started using all the way back in 1990. To a typical Windows user vi would seem very mysterious. If this is your first foray into Linux I suggest using nano.
To edit the sshd_config file using nano type
sudo nano /etc/ssh/sshd_config
If you type CTRL-W you will bring up the search command in nano. Search for the word password and you should find the line
change this to
and type CTRL-X to exit. You will be prompted to save the file - select "Y" for yes and save the file. Now type
sudo service ssh restart
to restart the ssh service. This will allow the service to pick up on the changes in the config file.
You can now only login to your VM using public private key encryption methods. Your VM is now secure.