Secure Your Instance

Purchase a pre-installed image of this tutorial and check out our new knowledge base WordPress Now.

Secure Your Instance

While AWS provides its own firewall, there are still things you can do minimize security risks. Here are three things I recommend:

  1. Create an Alternate User Account to the Default root (ubuntu) Login
  2. Turn off SSH Access for Default root (ubuntu) Account
  3. Change the Default Port Used for SSH From 22

1. Create an Alternate User Account

We’ll add a user named “hal”. Replace “hal” with your preferred username in the examples below:

sudo adduser hal

Add your new user to the admin group:

sudo adduser hal admin

Add your new user to the sudoers group. Edit the sudoers file:

sudo nano /etc/sudoers

Add, this line to the sudoers file, in the user privileges section:

hal ALL=(ALL) NOPASSWD:ALL

Now, we’ll create keys for this user so they can login to AWS. Switch to the new user:

su hal

Change to the home directory for this user:

cd /home/hal

Make an SSH directory and set permissions:

mkdir .ssh
chmod 700 .ssh

Generate a new key pair:

cd .ssh
ssh-keygen -b 1024 -f id_hal -t dsa

Add public key to authorized_keys file:

cat ~/.ssh/id_hal*.pub > ~/.ssh/authorized_keys

Set permissions:

chmod 600 ~/.ssh/*

Move the private key to a temp folder for download to your computer:

cp ~/.ssh/* /tmp
chmod 644 /tmp/*

Edit the SSH config file to add the new user:

sudo nano /etc/ssh/sshd_config

Add the new hal account to the AllowUsers field (or create the line if it’s not there):

AllowUsers ubuntu hal

Restart the service

sudo service ssh restart

Download the new key from your computer using your ubuntu account. On your computer, use Terminal:

scp -i ~/.ssh/wordpress.pem ubuntu@ec2-xx-xx-xx-xx.compute-1.amazonaws.com:/tmp/* ~/.ssh

Set permissions and test:

cd ~/.ssh
chmod 400 id_hal
ssh -i .ssh/id_hal hal@ec2-xx-xx-xx-xx.compute-1.amazonaws.com

If you run into any errors, you can try looking at the log on the AWS server while you attempt to login:

tail -f /var/log/auth.log

Remove the key files from the server’s tmp directory:

rm -rf /tmp/*
2. Turn off SSH Access for Default root (ubuntu) Account

Edit the SSH configuration file again:

sudo nano /etc/ssh/sshd_config

Remove the ubuntu account from the AllowUsers field:

AllowUsers hal

Make sure PermitRootLogin is off:

PermitRootLogin no

Restart the service

sudo service ssh restart

If you encounter difficulty, you can also go back to logging in through the AWS console instance list:

Connecting through AWS Console

Connecting through AWS Console

3. Change the default port used for SSH from 22

Edit the SSH configuration file again:

sudo nano /etc/ssh/sshd_config

Change the Port line to a different port number e.g.:

# What ports, IPs and protocols we listen for
Port 33322

Return to the AWS console and edit the security group. Add the port # that you chose e.g. 33322. Remove port 22. Make sure to click the Apply Rules button  (not pictured); it’s below the Add Rule box.

Set inbound rules for security group firewall

Set inbound rules for security group firewall

Restart the service

sudo service ssh restart

Going forward, you’ll need to use -p 33322 (or your chosen port) when you connect via SSH:

ssh -p 33322 -i .ssh/id_hal hal@ec2-xx-xx-xx-xx.compute-1.amazonaws.com

Later, be sure to review Optimizing AWS and follow the steps to secure your MySQL server.

Please feel free to post corrections, questions or comments below. You can also follow me on Twitter @reifman or email me directly.

Continue to install WordPress…

19 Comments

  1. A few of these steps are hard to complete on a Windows system. Such as “Download the new key from your computer using your ubuntu account. On your computer, use Terminal:” that’s where I’m stuck…

    Reply

    1. the ubuntu account is the AWS server. read it as download the new key from AWS to your windows computer. Do a google search on putty SSH for windows – it’s the Windows SSH connection that I use Terminal for on OSX

      Reply

      1. Sarah Collins July 21, 2013 at 8:22 pm

        I got stuck at this step too. Can anyone provide a bit of info on how this would actually happen? I’m sorry, I’m a complete newb and not very comfortable in command line yet. 🙁

        Reply

        1. If you connected to the AWS server using PuTTY in Windows, you will already have pscp installed.

          Change directory to where PuTTY is installed, then run pscp:

          C:Program FilesPuTTY>pscp -i .ppk ubuntu@ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com:/tmp/*

          replace with the .ppk file you used to store your private key pair generated by EC2. Also change the ec2-xxx-xxx-xxx etc. to your public DNS for your EC2 instance.

          Reply

    2. I used GIT-Bash or Cygwin whatever linux shell to access your local computer to run the scp command. After that, used putty key gen to generate a new ppk from the private key. Got it work finally.

      Reply

  2. I’m also stuck at this step:
    scp -i ~/.ssh/wordpress.pem ubuntu@ec2-xx-xx-xx-xx.compute-1.amazonaws.com:/tmp/* ~/.ssh

    I get this warning:
    Warning: Identity file /home/wpadmin/.ssh/wordpress.pem not accessible: No such file or directory.

    which makes sense because I’m not sure this file was even created in previous steps.

    Reply

    1. Hi Chad… this scp command is from your desktop computer to your AWS instance. It’s purpose is to copy the newly created key for the new user e.g. hal (that you created on AWS) back to your desktop computer. So, in this example, the WordPress.pem file is the key file I use to access my AWS instance when I first created the instance. You should use whatever key file you are using to first access your instance. Once you get the new key down to your desktop, you can login with the new account and the new key.

      Reply

  3. Don’t forget to change the port in ssh_config, and etc/services too.

    Reply

  4. dextersaintjocke May 8, 2013 at 3:27 am

    This is an awesome tutorial, as a newbie I found it very helpful and what I was hoping to find.

    Reply

    1. Thanks DSJ! Please share it widely on Twitter et al.

      Reply

  5. I am also stuck on the step of copying they key to my Mac. I figured out the syntax, but what I get is “Permission denied (publickey)” error. Which is strange, because I can move between folders and connect to AWS no problem + I added AllowUsers to sshd_config

    Reply

    1. Did you figure this out? Please give specifics about the steps you took and what error message they are generating.

      Reply

      1. I had the same problem, but figured out that I just copied and pasted the “Allowusers” and didn’t change the “hal” to my user. After doing that, all went right. =)

        Reply

  6. Cristi Constantin May 26, 2013 at 2:33 pm

    Great tutorial, thanks!

    Reply

  7. Awesome guide Jeff! I have a noob question. Why replace the ubuntu user with another user? It seems like either account is equally secure since they both require a private key for authentication.

    Reply

    1. Two reasons I can think of are 1. hal is not a root user, and 2. ubuntu is known to hackers but hal is not

      Reply

  8. I’m fairly technical, but this seems like a lot of work (and typing) just to host a simple php script (WordPress). 🙂 What benefit are you getting from this vs. hosting with a “regular” web host such as Small Orange (the host I’m currently looking into getting set up with; moving away from BlueHost). Is the cost of AWS going to allow for only ONE WordPress install under a single domain? I need about 10 – 20 domains pointing to the same number of WP installs (basically 10 – 20 different websites and mySql databases hosted under one account). Can I do that with AWS? At what cost?

    Reply

  9. I followed the instructions to edit the etc/sudoers file by running these commands: sudo nano /etc/sudoers and then adding the ‘hal ALL=(ALL) NOPASSWD:ALL’ however doing this has messed up my ‘sudoers’ files.

    It turns out that you should only do this in the Visudo mode. Now my sudo command doesn’t work at all. How do I fix this on a remote server?

    I’ve only found how to do it locally: http://www.psychocats.net/ubuntu/fixsudo

    Should, I just delete the instance and start over?

    Reply

    1. I know this is late, but have you tried an `scp` from your local machine to transfer the sudoers file from your host? I’m no expert, just a thought…

      Reply

Leave a reply

Your email address will not be published.