Your VPS hosting is capable of having many users on it through SSH, not just through the VPS panel. By default, your VPS only has one user for accessing your system and that is the root user. The root user has full control of the server, and that can be very insecure. The best thing you can do to protect your VPS and everything on your best VPS Hosting is to create multiple non-root users to only be allowed to manage certain parts of your VPS.
A SSH user is just a user account on Linux, The user account can work with any application that uses PAM. Here are a few examples of what a user can do on your VPS depending on what you have configured.
* Log in and run non-administrative programs on the VPS
* View information about the VPS, and configure non-admin user related settings
* Have access to admin privileges if added to the sudo group
* Send and Receive email if a basic email server is configured
* SOCKS5 Proxy over SSH
* Access web control panels like Cockpit and/or Webmin
* Access any other application on the server that uses PAM for user management
Adding the User
To create a user, you could either run the
adduser
command on Ubuntu based systems for quick and easy user creation or the
useradd
command which will work on most other distributions. Then run the
passwd user
command and enter their password and then again to confirm. Even though it does not show up it is there. The passwd command is also used to change passwords. They can now SSH into your server.
Setting Up Their Home Directory
The following commands will setup a user’s home directory
mkdir /home/username
This creates the home folder
usermod -d /home/username username
This sets the home directory for the user (replace
username
with your chosen username). This is the default home directory scheme for all users on most distributions so you may see the no change message.
chown -R username:group /home/username/
This command changes the ownership of the directory to a user and group. In this case set the directory to be owned by the user who we set the home directory for. The group can be the same as the username if you do not need multiple user groups accessing the files
Group Management
In order to create a group run
sudo groupadd -g id
name
For example I ran
sudo groupadd -g 2018 elixirnode
Now that the group is created we can use the
usermod
command to add users to that group. i.e
usermod -aG groupname username
so for me it would be
usermod -aG elixirnode sshGuide
-a is for append and the -G is to add as a subgroup. If you want this to be the user’s primary group use the
-g
switch in the
usermod
command. You can also substitute the username and groupname with their respective IDs. In order to remove a user from a group, you need to overwrite it with the
usermod -G
command. Please note this will erase ALL of the subgroups the user is in so you will have to add the user back to the group(s) manually.
Securing SSH
Some things you can do to protect your server is to disable password logins and use a key-pair based login at least for the users that have sudo access. Another program you can install is fail2ban which is a program that automatically sets temporary bans or permanently bans on IPs that get the password wrong more than 3 times per 10 minutes (or to whatever you set it). There are many different guides online on how to do this but I suggest you follow the guide that is for your SSH client.
If you have any questions or need any further help, contact us!