Create New Linux User
1. Create a new user “notrootuser” to access the server:
root@mail:~# useradd -m notrootuser
2. Assign password by running the command:
root@mail:~# passwd notrootuser
3. Make it able to login to root and use sudo with this command:
root@mail:~# echo 'notrootuser ALL=(ALL) ALL' >> /etc/sudoers
4. In order to be able to edit your website files using WinSCP and the new added user, do the below:
a. Add the new user notrootuser to the group of www-data using the command:
root@mail:~# adduser notrootuser www-data
If you want to remove the user, run the command:
root@mail:~# deluser notrootuser www-data
b. Make sure to have the correct permissions for your website folder and files. Check the right permissions in the article Download WordPress and Get it Ready for Installation.
You need to “ignore permission errors
” on WinSCP client because when you login to WinSCP from notrootuser
and edit woocommerce files that are owned by www-data:www-data
, the edit (write operation) will be successful but WinSCP will trigger permission error after every save because you’re not the owner of the file, so you need to go in WinSCP to: Preferences -> Transfer -> Default (or whichever preset you are using) -> Edit ->
then check Ignore permission errors
(in the Upload options section) and save settings. After that, when you edit any file, it will be the same as when you login as root.
Disable Root Access
5. Disable root access using the command:
root@mail:~# nano /etc/ssh/sshd_config
Then change: PermitRootLogin no
to PermitRootLogin yes
. After that, restart the sshd service using the command:
root@mail:~# service sshd restart
NOTE: make sure you are able to access the root from notrootuser
before disabling root access.
Login with the New User
After disabling root access, we will need to login as norootuser
and then from there we can login to root. So, just login as you were doing with root but with norootuser
and after that run the below command:
$ sudo -i
You will need to enter the root password. After that, you will be at root prompt.
$ sudo -i
[sudo] password for norootuser:
root@mail:~#
Change SSH Port
You can do this easily by going to the file:
nano /etc/ssh/sshd_config
Then, find unassigned port from the website https://www.iana.org and change the line Port 22
to Port unassigned-number
. After that, close the file but don’t restart SSH because If UFW was enabled, you won’t be able to connect to SSH on the new port. We need to reconfigure UFW firewall if it was running as usually we close all unused ports.
Enable Firewall
Before we manage firewalls, we need to open the new port. Let’s say our new SSH port is 2022. So run this to open the common ports for email and web.
UFW Firewall
ufw allow 25,80,110,143,443,587,465,993,995/tcp
Now let’s enable the new SSH port:
ufw enable 2022/tcp
If you want to allow SSH connections from a single IP address (slave server), run the below:
ufw allow from 137.184.33.153 to any port 2022
In this case, you accept SSH connections from the IP 137.184.33.153
Also, make sure ufw is enabled, by running the command:
service ufw status
Nftables
As I see, iRedMail is enabling Nftables in Ubuntu 22.04 LTS. So enter the file by running the below command:
nano /etc/nftables.conf
And change the port number from 22 to 2022 like below:
# ssh
#tcp dport 22 accept
tcp dport 2022 accept
Close the file. Now, let’s restart Firewalls. Run the below to restart Nftables:
service nftables restart
If UFW was disabled, once you enable it, it will take the new rules. If it was enabled, it won’t need any restart. Enable it by running the command:
ufw enable
Restart SSH
Now, it’s the time to restart SSH service for the changes to take effect. Run the command:
service ssh restart
Login with the New SSH Port
To login to your server from the Slave server (allowed IP address), login to Slave then run the below:
ssh notrootuser@144.91.72.55 -p 2022
Note that the IP 144.91.72.55 is the IP of the server which we changed its SSH port.