Secure Login to Server

Create New Linux User

1. Create a new user “notrootuser” to access the server:

root@mail:~# useradd -m notrootuser

2. Assign password by running the command:

root@mail:~# passwd notrootuser

3. Make it able to login to root and use sudo with this command:

root@mail:~# echo 'notrootuser ALL=(ALL) ALL' >> /etc/sudoers

4. In order to be able to edit your website files using WinSCP and the new added user, do the below:

a. Add the new user notrootuser to the group of www-data using the command:

root@mail:~# adduser notrootuser www-data

If you want to remove the user, run the command:

root@mail:~# deluser notrootuser www-data

b. Make sure to have the correct permissions for your website folder and files. Check the right permissions in the article Download WordPress and Get it Ready for Installation.

You need to “ignore permission errors” on WinSCP client because when you login to WinSCP from notrootuser and edit woocommerce files that are owned by www-data:www-data, the edit (write operation) will be successful but WinSCP will trigger permission error after every save because you’re not the owner of the file, so you need to go in WinSCP to: Preferences -> Transfer -> Default (or whichever preset you are using) -> Edit -> then check Ignore permission errors (in the Upload options section) and save settings. After that, when you edit any file, it will be the same as when you login as root.

Disable Root Access

5. Disable root access using the command:

root@mail:~# nano /etc/ssh/sshd_config

Then change: PermitRootLogin no to PermitRootLogin yes. After that, restart the sshd service using the command:

root@mail:~# service sshd restart

NOTE: make sure you are able to access the root from notrootuser before disabling root access.

Login with the New User

After disabling root access, we will need to login as norootuser and then from there we can login to root. So, just login as you were doing with root but with norootuser and after that run the below command:

$ sudo -i

You will need to enter the root password. After that, you will be at root prompt.

$ sudo -i
[sudo] password for norootuser:
root@mail:~#

Change SSH Port

You can do this easily by going to the file:

nano /etc/ssh/sshd_config

Then, find unassigned port from the website https://www.iana.org and change the line Port 22 to Port unassigned-number. After that, close the file but don’t restart SSH because If UFW was enabled, you won’t be able to connect to SSH on the new port. We need to reconfigure UFW firewall if it was running as usually we close all unused ports.

Enable Firewall

Before we manage firewalls, we need to open the new port. Let’s say our new SSH port is 2022. So run this to open the common ports for email and web.

UFW Firewall

ufw allow 25,80,110,143,443,587,465,993,995/tcp

Now let’s enable the new SSH port:

ufw enable 2022/tcp

If you want to allow SSH connections from a single IP address (slave server), run the below:

ufw allow from 137.184.33.153 to any port 2022

In this case, you accept SSH connections from the IP 137.184.33.153

Also, make sure ufw is enabled, by running the command:

service ufw status

Nftables

As I see, iRedMail is enabling Nftables in Ubuntu 22.04 LTS. So enter the file by running the below command:

nano /etc/nftables.conf

And change the port number from 22 to 2022 like below:

# ssh
#tcp dport 22 accept
tcp dport 2022 accept

Close the file. Now, let’s restart Firewalls. Run the below to restart Nftables:

service nftables restart

If UFW was disabled, once you enable it, it will take the new rules. If it was enabled, it won’t need any restart. Enable it by running the command:

ufw enable

Restart SSH

Now, it’s the time to restart SSH service for the changes to take effect. Run the command:

service ssh restart

Login with the New SSH Port

To login to your server from the Slave server (allowed IP address), login to Slave then run the below:

ssh notrootuser@144.91.72.55 -p 2022

Note that the IP 144.91.72.55 is the IP of the server which we changed its SSH port.