## SSH and Firewall

It is important to secure your connection to the remote machine. In order to do so, we will configure a secure access pattern using `ssh`, as well as set up a firewall that blocks all incoming requests except to the `ssh port 22` (and optionally, the web server ports).

We will assume that we have a non-root account that is in the `sudoers` group (these are system administrators who have absolute control of everything on the machine). If not one can follow a minimal number of [steps](https://www.digitalocean.com/community/tutorials/how-to-create-a-new-sudo-enabled-user-on-ubuntu-20-04-quickstart) as the root user to get such a non-root account:
```bash
adduser theja
usermod -aG sudo theja
su - theja #this is for checking
sudo ls /root/ #if user `theja` can access this directory, then they are in the sudoers group

```

### SSH

 - When you first create the server instance, you may or may not have the ssh server running. If it is not running, you can install it first. On Ubuntu/Debian, you can use the following [command](https://ubuntu.com/server/docs/service-openssh):

```bash
sudo apt install openssh-server
```

 - Next, we will create a ssh keypair on our local machine with which we can access the server in a secure manner. From your _local_ user home directory:

```bash
mkdir .ssh
ssh-keygen
cd .ssh
less id_rsa.pub
```

 - Copy this content to the following file `authorized_keys` in the webserver:

```bash
mkdir .ssh
vim authorized_keys #if vim is not present, you can use other editors or install it using `sudo apt install vim`
#copy the content and quit (shift+colon> wq -> enter)
chmod 600 authorized_keys
```

 - We need to ideally edit the following fields in the file `/etc/ssh/sshd_config` on the server (say using `vim`):
   - `PermitRootLogin no` (changed from prohibit-password)
   - `PasswordAuthentication no` (disable it for security)
   - (Optionally) change the `Port` number to something else other than 22 (e.g., 59400)

 - Restart the ssh server. In Ubuntu/Debian this is achieved by `sudo systemctl restart ssh`

### Firewall

 - A basic firewall such as [ufw](https://help.ubuntu.com/community/UFW) can help provide a layer of security.
 - Install and run it using the following commands (Ubuntu/Debian):

```bash
sudo apt install ufw
sudo ufw allow [PortNumber] #here it is 22 or another port that you chose for ssh
sudo ufw enable
sudo ufw status verbose #this should show what the firewall is doing
```