一台服务器创建多个ssh

by Flavio H. Freitas

Flavio H.Freitas着

如何创建可用于生产的第一台安全服务器 (How to create your first safe server that’s ready for production)

In this tutorial, I will present some of the best practices to build your own first safe server. I’ll list the steps you’ll need to take to have a fully functional server that you can use in production for your app.

在本教程中，我将介绍一些构建您自己的第一台安全服务器的最佳实践。我将列出拥有可在应用程序的生产环境中使用的功能齐全的服务器所需的步骤。

Having a safe server doesn't just rely on following some steps. It's a constant search for new resources and never-ending improvement. But this article can be a step 0 in building your own infrastructure.

拥有一台安全的服务器并不仅仅依赖于某些步骤。这是对新资源和永无止境的改进的不懈追求。但是本文可能是构建自己的基础结构的第0步。

I will use Amazon EC2 to run these tests, but I’ve also used Amazon LightSail, Digital Ocean, Vultr and some others. In all cases, they were the same to configure, so you can use the provider you prefer.

我将使用Amazon EC2来运行这些测试，但是我也使用了Amazon LightSail，Digital Ocean，Vultr等。在所有情况下，它们的配置都是相同的，因此您可以使用自己喜欢的提供程序。

So let's go:

让我们开始吧：

创建公共和私有SSH密钥 (Creating public and private SSH keys)

Before starting, let's create a pair of keys that some hosts ask for during installation of the server. This step and the next can be omitted if you decide to create a pair of keys while launching a machine instance with Amazon.

在开始之前，让我们创建一些主机在服务器安装过程中要求的密钥。如果决定在使用Amazon启动计算机实例时创建一对密钥，则可以省略此步骤和下一个步骤。

Create an SSH key pair using the ssh-keygen tool.

使用ssh-keygen工具创建SSH密钥对。

$ ssh-keygen -t rsa -b 4096

After this step, you will have the following files: id_rsa and id_rsa.pub (private and public keys). Never share your private key.

完成此步骤后，您将拥有以下文件：id_rsa和id_rsa.pub(私钥和公钥)。切勿共享您的私钥。

A more detailed document on creating the keys can be found here.

在此处可以找到有关创建密钥的更详细的文档。

在Amazon上导入公钥： (Import the public key on Amazon:)

We will import the public key that we just created on the Amazon platform.

我们将导入刚在Amazon平台上创建的公钥。

Access Amazon Management Console

访问Amazon管理控制台
Click on AWS services > Compute > EC2单击AWS服务>计算> EC2
Click on the left menu Network & Security > Key Pairs点击左侧菜单网络和安全>密钥对
Click on "Import Key Pair" and upload your public key (id_rsa.pub)单击“导入密钥对”并上传您的公共密钥(id_rsa.pub)

创建你的机器 (Create your machine)

I will install an Ubuntu version on Amazon EC2. You can find a complete setup at this link. The steps are as follows (but just for simplicity, follow this link for more explanation):

我将在Amazon EC2上安装Ubuntu版本。您可以在此链接中找到完整的设置。步骤如下(但为简单起见，请点击此链接以获取更多说明)：

Access Amazon Management Console

访问Amazon管理控制台
Click on AWS services > Compute > EC2单击AWS服务>计算> EC2
Choose Launch Instance选择启动实例
Choose one of the images. I chose Ubuntu Server 16.04 LTS (HVM), SSD Volume Type (but choose accordingly to your needs)选择其中一张图像。我选择了Ubuntu Server 16.04 LTS(HVM)，SSD卷类型(但根据需要进行选择)
Choose the instance (again, according to your needs). Click Review and Launch选择实例(再次根据您的需要)。点击查看并启动
Open a new tab and import the created public key on Amazon.打开一个新选项卡，然后在Amazon上导入创建的公钥。
Here we are asked to "Select an existing key pair or create a new key pair". I chose "Choose an existing key pair". Choose the one you uploaded in the previous step.在这里，我们被要求“选择一个现有的密钥对或创建一个新的密钥对”。我选择了“选择现有的密钥对”。选择上一步中上传的一个。
Click "Launch Instances".单击“启动实例”。
Click on the link of the instance you just created.单击您刚刚创建的实例的链接。

Attention: Some of the steps bellow could be configured on this initial screen of Amazon. But since I want to create a generic tutorial that can be used for other hosts, I chose the default configurations.

注意：以下某些步骤可以在Amazon的初始屏幕上配置。但是由于我想创建可用于其他主机的通用教程，因此我选择了默认配置。

连接到新服务器 (Connect to the new server)

Access the machine with ssh.

使用ssh访问机器。

Type on your terminal:

在您的终端上输入：

$ ssh <USER>@<IP-ADDRESS> -p 22 -i <PATH-TO-PRIVATE-KEY>

<USER>: The user on the Linux system. For Amazon use ubuntu, for others, root<USER>：Linux系统上的用户。对于亚马逊，请使用ubuntu；对于其他用户，请使用root
<IP-ADDRESS> : The IP address of the machine you created. It is the field "Public DNS (IPv4)" on the tab "Description" of your instance.<IP-ADDRESS>：您创建的机器的IP地址。它是实例的“描述”选项卡上的“公共DNS(IPv4)”字段。
<PATH-TO-PRIVATE-KEY> : The full path to the private key you generated on the item before (e.g. /Users/flavio/.ssh/id_rsa).<PATH-TO-PRIVATE-KEY>：之前在项目上生成的私钥的完整路径(例如/Users/flavio/.ssh/id_rsa)。
-i <PATH-TO-PRIVATE-KEY> : this part can be omitted if you added the key to your SSH agent.-i <PATH-TO-PRIVATE-KEY>：如果将密钥添加到SSH代理，则可以省略此部分。

授予您的新用户访问权限 (Give your new user access)

Create a new user account named “wizard”

创建一个名为“ wizard”的新用户帐户

$ sudo adduser wizard

Give “wizard” the permission to sudo. Open the file

向“向导”授予sudo的权限。开启档案

$ sudo nano /etc/sudoers.d/wizard

And set the content:

并设置内容：

wizard ALL=(ALL) NOPASSWD:ALL

Create the following directories:

创建以下目录：

$ mkdir /home/wizard/.ssh# create authorized_keys file and copy your public key here$ nano /home/wizard/.ssh/authorized_keys$ chown wizard /home/wizard/.ssh$ chown wizard /home/wizard/.ssh/authorized_keys

Copy the content of the public key (PATH-TO-PUBLIC-KEY) and paste on the remote instance on the /home/wizard/.ssh/authorized_keys . Set the permissions:

复制公共密钥(PATH-TO-PUBLIC-KEY)的内容，然后粘贴到/home/wizard/.ssh/authorized_keys上的远程实例上。设置权限：

$ chmod 700 /home/wizard/.ssh$ chmod 600 /home/wizard/.ssh/authorized_keys

保护系统 (Securing the System)

Update all currently installed packages.

更新所有当前安装的软件包。

$ sudo apt-get update$ sudo apt-get upgrade

Change the SSH port from 22 to 2201. Configure the firewall (ufw, Uncomplicated Firewall, and it is really uncomplicated) to allow it. Open the file /etc/ssh/sshd_config

将SSH端口从22更改为2201。配置防火墙(ufw，“不复杂的防火墙”，它实际上并不复杂)以允许它。打开文件/ etc / ssh / sshd_config

$ sudo nano /etc/ssh/sshd_config

and change the following data:

并更改以下数据：

Port 2201PermitRootLogin noPasswordAuthentication no

# add this to avoid problem with multiple sshd processesClientAliveInterval 600ClientAliveCountMax 3

Restart the ssh service:

重新启动ssh服务：

$ sudo service ssh restart

Configure the Uncomplicated Firewall (UFW) to only allow incoming connections for SSH (port 2201), HTTP (port 80), and NTP (port 123).

将简单防火墙(UFW)配置为仅允许SSH(端口2201)，HTTP(端口80)和NTP(端口123)的传入连接。

# close all incoming ports$ sudo ufw default deny incoming# open all outgoing ports$ sudo ufw default allow outgoing# open ssh port$ sudo ufw allow 2201/tcp# open http port$ sudo ufw allow 80/tcp# open ntp port : to sync the clock of your machine$ sudo ufw allow 123/udp# turn on firewall$ sudo ufw enable

配置服务器时钟 (Configure your server clock)

Configure the local timezone to UTC:

将本地时区配置为UTC：

$ sudo dpkg-reconfigure tzdata

Choose the option ‘None of the Above’ and then select UTC.

选择选项“以上皆非”，然后选择UTC。

断开连接并将密钥添加到SSH代理 (Disconnect and Add your key to your SSH agent)

Disconnect from your server and make the following on your machine. To disconnect:

断开与服务器的连接，然后在计算机上进行以下操作。断开连接：

$ exit

在Amazon上添加访问端口权限 (Add Access Port Permission on Amazon)

This step is required on Amazon. We will set the ssh port that we want to use on Amazon also.

在亚马逊上，此步骤是必需的。我们还将设置要在亚马逊上使用的ssh端口。

Access Amazon Management Console

访问Amazon管理控制台
Click on AWS services > Compute > EC2单击AWS服务>计算> EC2
Click on the left menu Network & Security >Security Groups单击左侧菜单，网络和安全>安全组。
Choose the one that is attached to your instance选择与您的实例关联的那个
Click on Action > Edit Inbound Rules单击操作>编辑入站规则
Click on "Add Rule" and set: Type: Custom TCP, Port Range: 2201, Source: 0.0.0.0/0 and Description: SSH单击“添加规则”并设置：类型：自定义TCP，端口范围：2201，源：0.0.0.0/0和描述：SSH

连接新的凭证 (Connect with the new credentials)

Now you can connect on the machine with the user on the new port.

现在，您可以在计算机上与新端口上的用户连接。

$ ssh wizard@<IP-ADDRESS> -p 2201 -i <PATH-TO-PRIVATE-KEY>

You have a server ready to run your application. Soon I will write another tutorial on how to install an environment to run your Meteor application using pm2. I’ll also discuss configuring SSL, a reverse proxy, a load balancer and Nginx. But this article showed how to make a generic safer server that you can run whatever you need.

您已经准备好运行应用程序的服务器。很快我将写另一个教程，介绍如何安装环境以使用pm2运行您的Meteor应用程序。我还将讨论配置SSL，反向代理，负载均衡器和Nginx。但是本文展示了如何使通用安全服务器可以运行所需的任何内容。

If you enjoyed this article, be sure to like it give me a lot of claps — it means the world to the writer ? And follow me if you want to read more articles about Culture, Technology, and Startups.

如果您喜欢这篇文章，请确保喜欢它给了我很多鼓掌-这对作家来说意味着世界？如果您想有关文化，技术和创业的文章，请跟随我。

Flávio H. de Freitas is an Entrepreneur, Engineer, Tech lover, Dreamer and Traveler. Has worked as CTO in Brazil, Silicon Valley and Europe.

FlávioH. de Freitas是一位企业家，工程师，技术爱好者，梦想家和旅行者。曾在巴西， 硅谷和欧洲担任首席技术官 。

Photo by Ben White on Unsplash

Ben White在Unsplash上拍摄的照片

翻译自: https://www.freecodecamp.org/news/how-to-create-your-first-safe-server-ready-for-production-f1cc60eec69a/