This is part 6-7 of a series of posts on server security from Inversoft's 2016 Guide to User Data Security.
You might be wondering what will happen if you SSH to the Application Server and then try to SSH from there to the Database Server. By default, you won't be able to do this because your private key won't be on the Application Server. However, SSH has a feature that allows you to accomplish this without copying your private key all over the place.
The feature you will use is called SSH agent. By enabling an SSH agent, you will be able to log into any server that has your public key setup in the
authorized_keys file (as long as you start from a computer that has your private key).
To setup an SSH agent, add your private key to the agent by running this command:
This will add your default private key to the SSH agent.
NOTE: If you are on a Mac, you don't need to run this command. OSX will automatically prompt for your private key passphrase and add this key to your SSH agent.
You need to enable your SSH agent when you SSH to a server. To do this, you will use the -A option like this:
$ ssh -A -i server_rsa email@example.com
You can also add an alias for the SSH command to automatically add the -A option in your shell's configuration file.
Locking the Root Account
Disable the root user's login to prevent users from trying to brute force attack the root user if they ever gain access to the server. You might be concerned that if you lock the root account you won't be able to administer the server easily. Even if the root user account is locked, you'll still be able to use the root account via the command
"sudo su -", but you won't be able to log in directly to the root user's account. To lock the root user's login, type this command into the root user terminal:
$ usermod -p '*' root
Find our Github project here: https://github.com/inversoft/2016-security-scripts. This project contains a set of scripts you can execute from your local computer to secure a remote server.