Before we can plant and harvest, we must prepare the land. But before even that, we need to secure the farm!

Today's tasks aren't specific to our Witness Node, or even to Steem. Instead we'll perform some basic steps that are always wise to do on a freshly installed server, no matter what the task of the machine will be.

As such, this article may be useful to you even if you're not setting up a Witness Node.

Update system software

Ubuntu makes it easy for us to update all the machine software at once, and this is always a good idea to do first on a fresh install.

The package manager in Ubuntu is called APT. Upgrading all packages is a 2-step operation. First, we tell APT to update its index of latest versions, then we have it do the upgrade.

Go ahead and log into the server as root via SSH, then type these two lines:

apt update
apt upgrade

You may get a "Do you wish to proceed?", to which you can just press Enter.

Add a new user

"root" is a special user. The root account has full admin privileges and is also called the superuser account.

We don't really want to log in as the root user directly, because with such a high level of access, one little mistype can do a lot of damage.

The next thing we'll do is create a new user account which we'll use for administering the server on a daily basis. We'll name this account "steem".

adduser steem

The adduser program will ask a short series of questions about the new user. You can just hit Enter to all of them, apart from the new user's password.

On the subject of password choice, I wrote a whole rant here but have split it into a separate post :-D

Although we're not going to be accessing the system as root anymore, we will still want our new user to be able to access superuser commands when needed. To do that, type or paste the following:

usermod -aG sudo steem

The next thing we'll do is make it so that root can't log in directly over SSH. There are many bots out there scanning for SSH servers and trying to brute-force the root passwod. However, before we do that, we need to make sure we can access the server with the new account.

So, exit the SSH session, and log in again -- but this time log in as the steem user, with the password you picked above.

Disable root's ssh login

Make sure that you're logged in as the steem user, and paste:

sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

This uses the sed program (which is nearly 50 years old!) to do a text replace in the server's SSH config file, looking for the "PermitRootLogin yes" and replacing it with "PermitRootLogin no".

You'll be asked to confirm the password for the steem user. Notice the "sudo" at the start of the command. This allows us to call a command which requires root-level access, without having to be logged in as root. In this case, it's needed because the file /etc/ssh/sshd_config requires root access to edit.

For this change to take effect, we should now restart the SSH server with the systemctl utility:

sudo systemctl restart ssh

That command also gets a sudo in front of it, though you won't be asked to confirm your password when using sudo for a 2nd time, unless a certain amount of time has elapsed since you last confirmed it.

Set up the firewall

Now we'll install the UFW firewall to ensure that only ports that we want to be open are available to the internet.

Wait -- "ports"? That sounds like something I should explain!

Ports are a simple abstraction to direct traffic to a particular service running on a machine. You already know about IP addresses; in fact, to fully route an internet packet, it needs to have not just a destination IP address but a destination port too.

The concept of ports is required because a given machine might be serving web pages with (eg) Nginx, while at the same time watching out for email with (eg) Postfix. Each packet needs to be routed to the appropriate service on the machine, and that's accomplished with port numbers.

There are 65535 possible port numbers, and particularly common services are usually placed on a particular port number by convention. For example, webservers are listening on port 80, while SSH listens on port 22. Steem communicates with other Steem nodes on particular ports too, which we'll cover a couple of episodes from now.

The UFW firewall enables us to full have control over which ports are exposed to the internet. If we don't explicitly open a given port for a given service, packets sent to the port can't get through.

Let's set it up! Thanks to APT, it's super easy to install most packages on Ubuntu:

sudo apt install ufw

Tell UFW to allow SSH traffic through the firewall:

sudo ufw allow OpenSSH

Turn it on:

sudo ufw enable

And finally, check the status:

sudo ufw status

That's all you need to do. All ports are currently closed apart from the port SSH is listening on, and the firewall will start automatically after a reboot (you don't need to re-enable it).

Overview

Phew! We've updated the machine, added a user for day-to-day access, disabled root login, and got the firewall set up. A good day's work :-)

Next time, we're going to add Certificate Authentication for improved security and convenience. After that, we'll be ready to install the Steem stack.