Install SSL on Windows IIS

How to install an SSL Certificate on Windows Server 2019 Using IIS

An SSL Certificate is a small data file that creates a secure link between a website and a visitor’s browser. See how to install an SSL certificate on Microsoft Windows server 2019 using IIS.

SSLs has a public and private key that can be used to establish an encrypted connection between a web browser and a web server. The main reason for using SSL Certificates is to protect your sensitive information and your website.

In this tutorial, we will show you how to install an SSL certificate on Windows server 2019 with IIS.

Create Certificate Signing Request Using IIS

When you are applying or Ordering an SSL certificate, you will need to create CSR (Certificate Signing Request) on your server and send it to a Certificate Authority. The CSR validates the information the CA requires to issue a certificate. After validating the CSR, the Certificate Authority will use this data to generate and issue the SSL certificate.

You can create a CSR by following the below steps:

Step 1 – Go to Start > Administrative Tools > Internet Information Services (IIS) Manager, as shown below:

Step 1: Go to Start, Administrative Tools and then IIS

Step 2 – In the left pane, click on the server name and double click on the Server Certificates. You should see the following page:

Step 2: Into IIS, click on the server name and then on Server Certificate.

Step 3 – In the right pane, click on the Create Certificate Request. You should see the following page:

Step 3: Click on Create Certificate Request.

Step 4 – Provide your domain name, company name, department name, city, state, country name and click on the Next button. You should see the following page:

Step 4: Provide your domain name, company name, department name, city, state, country name and then click Next.

Step 5 – Select the Cryptographic Service Provider, 2048 as a bit length and click on the Next button. You should see the following page:

Step 5: Select Cryptographic Service Provider and choose  2048 bit length., Then click Next.

Step 6 – Specify the filename and the location where you want to save the CSR, and click on the Finish button to create a CSR certificate.

Step 6: Specify the filename and the location to save the CSR. Then click on Finish.

Step 7 – After generating the CSR, you will need to give this CSR file to the Certificate Provider in order to purchase the new SSL certificate.

Make sure that you get an SSL certificate in P7B or CER format. Once you received the SSL certificate file from the Certificate Authority save it on the server where you created the CSR.

Install the SSL on IIS Website

Next, you will need to install the SSL certificate on your IIS website. You can install it by following the below steps:

Step 1 – Go to Start > Administrative Tools > Internet Information Services (IIS) Manager as shown below:

Step 1: Go to Start > Administrative Tools > Internet Information Services (IIS) Manager.

Step 2 – In the left pane, click on the server name and double click on the Server Certificates. You should see the following page:

Step 2: Click on the server name and then on Server Certificates.

Step 3 – In the right pane, click on Complete Certificate Request. You should see the following page:

Step 3: Click on Complete Certificate Request.

Step 4 – Browse the certificate file (.cer), provide your domain name, select Web Hosting in the certificate store option and click on the OK button.

Step 4: Browse the certificate file (.cer), provide your domain name, select Web Hosting in the certificate store option and click on OK.

At this point, you have successfully installed your SSL certificate. Next, you will need to assign the certificate to your website.

You can assign the certificate by following the below steps:

Step 1 – Open the IIS Manager, expand the server name and click on the Default Website then click on the Bindings in the right pane. You should see the following page:

Into IIS, browse for the desired Website, and then click on Bindings to install an SSL on Windows Server with IIS.

Step 2 – Click on the Add button. You should see the following page:

Click on the Add button to add a new Binding.

Step 3 – Select https, select the IP address of your website or leave it unassigned, type port 443, type your domain name, select the domain name on which you want to install SSL and click on the OK button to install the certificate.

Specify the https type, and then the correct port (default is 443). Then select the correct SSL Certificate for the new binding.

Your SSL certificate is now installed and the website configured to accept secure connections as shown below:

See you new binding into Site Bindings window. This is how to install an SSL Certificate on Windows Server and IIS.


Congratulations! you have successfully installed an SSL certificate on Windows server 2019 using IIS. Your website is now secured with an SSL certificate.

In this article we will show your how to set up SSH server with Two-Factor Authentication (2FA) for Ubuntu and Debian.

SSH, also known as “Secure Shell“, is a network protocol that can be used to login remote system securely over an unsecured network. You can control your whole server with SSH. So securing SSH is a very important part of any system administrator. By default, SSH uses a password to authenticate the system. You can also use SSH key instead of a password. But, this is only a single factor authentication.

It is always recommended to use Two factor authentication to add an extra layer of security. In two factor authentication, you will need to provide your system user password and another password generated on a mobile device. This will significantly enhance your server’s security.

In this tutorial, we will show you how to secure SSH with two factor authentication.


Install and Configure Google Authenticator

In order to set up SSH Server with Two-Factor AuthenticationFirst, you will need to install Google Authenticator PAM module to your system. You can install it by running the following command:

apt-get install libpam-google-authenticator

Once installed, run the Google Authenticator with the following command:


During the execution, you will need to answer some questions as shown below:

Do you want authentication tokens to be time-based (y/n): y

 Warning: pasting the following URL into your browser exposes the OTP secret to Google:

Press y and hit Enter to continue. You should see a QR code in the following screen:

SSH Console with QR code for Google 2FA

Next, open Google Authenticator on your Mobile and scan the QR code. Once the QR code is scanned, you should see a six-digit one-time password on your phone:

Screenshot of Google Authenticator with code.

By default, it lasts for 30 seconds. Remember this password, you will need it later in order to log in to Ubuntu server via SSH.

You can also see the secret key, verification code and emergency scratch code in the above output. It is recommended to save it to a safe place for later use.

Next, answer all the questions with y and hit Enter to update your Google Authenticator configuration file as shown below:

 Do you want me to update your "/root/.google_authenticator" file? (y/n) y

 Do you want to disallow multiple uses of the same authentication
 token? This restricts you to one login about every 30s, but it increases
 your chances to notice or even prevent man-in-the-middle attacks (y/n) y

 By default, a new token is generated every 30 seconds by the mobile app.
 In order to compensate for possible time-skew between the client and the  
 server, we allow an extra token before and after the current time. This 
 allows for a time skew of up to 30 seconds between authentication server
 and client. If you experience problems with poor time synchronization, you 
 can increase the window from its default size of 3 permitted codes (one 
 previous code, the current code, the next code) to 17 permitted codes (the 
 8 previous codes, the current code, and the 8 next codes). This will 
 permit for a time skew of up to 4 minutes between client and server.

 Do you want to do so? (y/n) y

 If the computer that you are logging into isn't hardened against brute-
 force login attempts, you can enable rate-limiting for the authentication 
 By default, this limits attackers to no more than 3 login attempts every 

 Do you want to enable rate-limiting? (y/n) y

Configure SSH to Use Google Authenticator

Next, you will also need to configure SSH to use Google Authenticator. You can do it by editing the file /etc/ssh/sshd_config:

nano /etc/ssh/sshd_config

Find and change the following lines to yes:

 UsePAM yes
 ChallengeResponseAuthentication yes

Save and close the file when you are finished. Then, restart SSH service to apply the configuration:

systemctl restart ssh

Next, you will also need to define PAM rules for SSH service in /etc/pam.d/sshd file:

nano /etc/pam.d/sshd

Add the following line after @include common-auth :

auth required pam_google_authenticator.so

Save and close the file.

Test Two Factor Authentication

Your SSH server is now configured with two factor authentication. It’s time to test it.

Log in to another system, open your terminal and connect your server with SSH as shown below:

ssh root@

You will need to provide your system password and Verification code generate by Google Authenticator.

 Verification code:

After successful login, you should see the following output:

 Linux debian 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64
 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Sep  9 01:12:32 2019 from


Congratulations! you have successfully set up SSH server with two-factor authentication for Ubuntu and Debian. I hope you have now enough knowledge to protect your SSH server with Google Authenticator.

Let’s Encrypt is a free Certificate Authority that provides a free SSL/TLS certificates for your domain; see how to install Let’s Encrypt SSL on a LAMP on CentOS 7. Let’s Encrypt provides a Certbot tool to obtain and install TLS/SSL certificates automatically on both Apache and Nginx web server. The certificate is valid for 90 days. So you will need to renew it before it expired.  Let’s Encrypt is a nonprofit certificate authority managed by the Internet Security Research Group. Its main aims is to create a more secure and privacy-respecting Web by adopting HTTPS.

In this tutorial, we will learn how to install an SSL on a LAMP server with Let’s Encrypt on CentOS 7.


Getting Started

Before starting, it is recommended to update your system’s packages to the latest version. You can update them by running the following command:

yum update -y

Next, you will need to disable SELinux on your system. You can do this by editing /etc/selinux/config file:

nano /etc/selinux/config

Make the following changes, the line starting by SELINUX= :


Save and close the file, when you are finished. Then, restart your system to apply the configuration changes.

Install Certbot Client

You will need to install Certbot Let’s encrypt client to your server. Certbot is a simple and easy to use tool to install and manage SSL certificate. By default, Certbot package is not available in the CentOS 7 default repository. So you will need to install the EPEL repository to your system. You can install it with the following command:

yum install epel-release

Next, install Certbot client and other packages with the following command:

yum install certbot python2-certbot-apache mod_ssl

Once the installation has been completed successfully, you can proceed to fetch and install the SSL certificate for your domain.

Install the Let’s Encrypt SSL Certificate for Your Domain

Now, fetch and install a Let’s Encrypt SSL for your domain named blog.linuxbuz.com using the following command:

certbot --apache -d blog.yourdomain.com

You will need to provide an email address and agree to the terms of service:

 Saving debug log to  /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator apache, Installer apache
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): your@yourdomain.com
 Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 (A)gree/(C)ancel: A

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 (Y)es/(N)o: Y

 Starting new HTTPS connection (1): supporters.eff.org
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for blog.yourdomain.com
 Waiting for verification...
 Cleaning up challenges
 Created an SSL vhost at /etc/httpd/conf.d/blog.yourdomain.com.conf
 Deploying Certificate to VirtualHost 

Next, you will need to choose whether or not to redirect HTTP traffic to HTTPS:

 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select option 2 and hit ENTER.

Once the installation is completed successfully, you should see the following output:

 Redirecting vhost in 
/etc/httpd/conf.d/blog.linuxbuz.conf to ssl vhost in /etc/httpd/conf.d/blog.linuxbuz-le-ssl.conf

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Congratulations! You have successfully enabled https://blog.linuxbuz.com
 You should test your configuration at:
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:

 - Your cert will expire on 2019-10-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, open the following link in your preferred web browser to check your SSL certificates: https://www.ssllabs.com/ssltest/analyze.html

Configure Automatic Certificate Renewal

By default, Let’s Encrypt certificates are expired after 90 days. So you will need to renew them before expiry date to avoid any problems.

You can renew the certificates with the following command:

certbot renew

You can also automate the renewal process by setting up a cron job.

To do so, edit the cron job with the following command:

crontab -e

Add the following line:

52 10 * * *   root /usr/bin/certbot renew >/dev/null 2>&1

Save and close the file. The above command will run on every day at 10:52.


In this tutorial, we have learned how to secure Apache web server with Let’s Encrypt free SSL on CentOS 7. I hope you can now easily secure your web server with Let’s Encrypt.

Introduction to Linux file permissions & attributes: chmod

The Linux name is a broad identifier for a variety of operating systems that are based on the Linux kernel; these operating systems are free and open-source, providing a variety of solutions for users of different skill levels. Using Linux-based systems, the user often has more reliance on system commands and command line tools; maintaining file permissions and attributes is one example of this. Linux file permissions, the permissions allowing users to access different system objects, files, and directories, are modified with the chmod command. Maintaining proper file permissions is essential in shared environments where multiple users do not share the same access requirements to files and systems.


Getting Started

To get started understanding more about file permissions and attributes, you should have a cloud server or dedicated server node running a current version of whichever Linux operating system you choose. For beginners, Linux Ubuntu is a popular distribution providing a user-friendly interface. Research the available options and choose a distribution that works for you.

An Introduction to Linux File Permissions and Attributes: chmod

When using the chmod command to alter your file permissions and attributes, there are different aspects of the command syntax that you may encounter.
For instance, there are implementation options that you may encounter, such as recursive (-R), force (-f), and verbose (-v). The recursive implementation is the most commonly used, and it is used to apply permissions to all the documents within the specified directory. The force implementation can be used when implementation should move forward even if errors occur, while the verbose implementation shows the objects as they’re processed.

An example would be to give read, write, execute access (7) to owner (u) and group (g) , but no access (0) to others (o); using the recursive function (-R) to apply the same level of permissions to all documents contained within /my/directory.

sudo chmod -R 770 /my/directory

The Symbolic Mode

Permissions can be assigned as read (r), write (w), and execute (x) access; this is considered symbolic mode.

When the permissions are displayed, they are displayed in a combination of letters indicating the permissions for the owner, the group, and anyone else. To see an example of the notation in your Linux operating system, open terminal and type ls -l /etc, which will list the content of /etc including permissions.

ls -l /etc


An example of this would be “drwxrwx—,” which shows that the owner (drwxrwx—) and those in the group (drwxrwx—) can read, write, and execute; anyone else outside (drwxrwx) of the specified owner and group have no permissions. The dash (-) will occur where a permission is not given.

You can also use the symbolic mode in more specific instances where you want to make changes to specific users. There are four references; owner (u), group (g), others (o), and all (a or ugo).

chmod: Symbolic Mode

The owner is the owner of the file while the group is users that are part of the file’s group membership. The others identifier encompasses users that are neither owner nor group members, and all can be used when the permissions want to be set for all three previous user groups simultaneously.

When adding permissions to these users, the plus sign (+) is used to add the specified mode to the specified class, the minus sign (-) is used to remove the specified mode from the specified class, and the equal sign (=) is used when the specified mode should be the exact mode for the specific class.

An example of this would be “u+w,” which would add write permission to the user.
sudo chmod u+w /my/directory/

Another example would be “g-w,” would remove write permissions for the group.
sudo chmod g-w /my/directory/

The Numeric Mode

Permissions may also be displayed in numeric mode, numbering from 0 to 7. The permissions, in ascending order, are no permission (0), execute (1), write (2), write and execute (3), read (4), read and execute (5), read and write (6), and read, write, and execute (7).

For instance, in the symbolic system, a permission could be displayed as “-rw-r–r–,” which could be translated into the numeric mode as “664”. This would indicate the first two users can read and write in this directory, while the third user can only read in this directory.
sudo chmod -R 644 /my/directory/

chmod symbolic numeric



Hopefully, this introduction to Linux file permissions and the chmod command have given you more insight into your Linux operating system. It’s important to learn more about the ins and outs of the Linux system, making changes and updates to your operating system can be accomplished with simple commands, but it’s important to understand what commands you can use and how to utilize the command input systems.

How to encrypt a directory with eCryptfs on Ubuntu 16

Ecryptfs is a powerful but simple to use tool for encrypting directories. Perhaps you are keeping sensitive information in your home directory, and wish to secure those files from an attacker who gains access to your server but not your user credentials. Or maybe your database contains sensitive details that you wish to encrypt at rest. With Ecryptfs, it is easy to secure individual directories in a way that they cannot be accessed without a user logging into the account that owns the key. In this guide, we’ll encrypt the contents of a directory on an Ubuntu 16.04 server.

Getting Started

You’ll need the following in place before we begin:
• 1 server (Cloud Server or Dedicated Server), running a fresh installation of Ubuntu 16.04.
• Root access


Begin by installing the necessary packages.

apt-get install ecryptfs-utils -y

File encryption is a powerful tool, but its capabilities and limitations need to be understood before it is used for serious tasks. For purposes of illustration, we’ll create a test directory in /home so you can get a sense for how your encrypted filesystem will work.

mkdir /home/globotech

Now we’ll encrypt the contents of the globotech directory we’ve just made.

mount -t ecryptfs /home/globotech/ /home/globotech/

You’ll be prompted to choose a password, and to set an encryption type.

With these set, check if the contents of the directory are encrypted.


cpu,cpuacct on /run/lxcfs/controllers/cpu,cpuacct type cgroup (rw,relatime,cpu,cpuacct,nsroot=/)
devices on /run/lxcfs/controllers/devices type cgroup (rw,relatime,devices,nsroot=/)
blkio on /run/lxcfs/controllers/blkio type cgroup (rw,relatime,blkio,nsroot=/)
name=systemd on /run/lxcfs/controllers/name=systemd type cgroup (rw,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd,nsroot=/)
lxcfs on /var/lib/lxcfs type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,size=101628k,mode=700)
/home/globotech on /home/globotech type ecryptfs (rw,relatime,ecryptfs_sig=9cff1b579bb64c22,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

Next we’ll add a file with test content to this directory.

touch /home/globotech/file.txt
echo "Good Morning" > /home/globotech/file.txt

Unmount the encrypted globotech directory.

umount /home/globotech

With the directory unmounted, try to read the file you’ve just created.

cat /home/globotech/file.txt

W_65"I??_aO?EXgd+?+-   RK[a+?`,[-+=?Mec8 Td8Y  ?IV-[2d!fXMQYeQS+?!-SB
1q?X    vfq?,Xy*e~ox<lI619q2?~<   Q6):O%8 _&+)sMYW0lS!;0?n%#??5ÿ?D}F?j_sWNv

You’ll notice that the file is encrypted and the content is inaccessible. Without the password, an attacker cannot gain access to the file you’ve just made.

If you’d like access to your file again, run the same command you ran previously:

mount -t ecryptfs /home/globotech/ /home/globotech/

Use the same password to access your files. Please keep this password safe. If it is lost, no one will be able to regain access to your files, not even your service provider.

cat /home/globotech/file.txt

Good Morning


Encryption is a powerful way to protect your files in the event of a compromised server or stolen laptop. Everyone should encrypt their sensitive data, so share this article with anyone who may not know how easy encrypting directories can be. If you found this article helpful, feel free to share it with your friends and let us know in the comments below!

How to install and use Linux Malware Detect (LMD) with ClamAV on Ubuntu 16

Though Linux is a less targeted operating system, it’s still important to monitor for malware. One of the best tools out there for doing so is Linux Malware Detect, which uses a variety of metrics to identify and remove malware. When used in conjunction with ClamAV, the well known antivirus solution for Linux (as well as Mac and Windows), Linux Malware Detect provides a very good defense against malicious software.

Getting Started

The steps of this guide requires you to have the following:
• 1 server (Cloud Server or Dedicated Server) running Ubuntu 16.
• Root access to the server


In order to install Linux Malware Detect, you’ll first need to download the installation tarball from the project’s web site. You can find it at this address.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Take your tarball and extract it into /usr/src/. Change into the resulting directory.

cd /usr/src
tar -xvf maldetect-current.tar.gz
cd maldetect*

An installation script is available for you to install LMD. Run it using this command:


Now let’s configure our Linux Malware Detect installation. We’ll need to make a few basic modifications to the default configuration file, so go ahead and open it in a text editor:

nano /usr/local/maldetect/conf.maldet

Here are the settings as they should look:


Next, we’ll be installing ClamAV, so that Linux Malware Detect can use it as its antivirus engine.

apt-get install clamav -y

You can do a lot with Linux Malware Detect. Here’s a sample of some commands you may find useful.

To update the library of malware detection signatures:

maldet -u

To update Linux Malware Detect’s malware versions:

maldet -d

To scan all the files residing in a specific directory:

maldet -a /path

To put all threats that Linux Malware Detect has identified into quarantine:

maldet -q SCANID

To restore files from quarantine:

maldet –s SCANID


With Linux Malware Detect and ClamAV, you can rest easy knowing that you’ve got one of the premiere antimalware and antivirus solutions available for Linux. If you found this article helpful, feel free to share it with your friends and let us know in the comments below!

How to change SSH port on CentOS 6

SSH is a useful program for remotely logging in to a computer over the internet or a network. It creates a secure connection so powerful commands and tools can be safely used. In order to do this it needs a ‘port’: a number on the server that identifies which program can connect. However, two programs trying to use the same port can cause network conflicts. And although the default port is usually fine, sometimes the way other programs are set up stop it from working properly.

The following guide explains how to change the port SSH connects to on a CentOS 6 server.

Getting Started

Confirm that you have the following before you follow this guide:
• 1 Node (Cloud Server or Dedicated Server) running CentOS 6.
• Root access to the node.


In order to change the port, the first step is editing the config file for ‘sshd’, which is the SSH daemon. Use this command to edit it:

nano /etc/ssh/sshd_config

The default port for SSH is 22. Change this number to whatever you need, but be sure to avoid ports already in use by the server which are commonly used by other programs. This means most ports below 1024, but be sure to check what is in use to avoid conflicts later.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22 <----------------------------------------------- You need to remove the comment (#) and change the value by the port you want #AddressFamily any #ListenAddress #ListenAddress :: [...]

After the config file has been edited and saved, the SSH daemon needs to be restarted for the changes to take effect. Use this:

service sshd restart

Or this:

/etc/init.d/sshd restart

If SELinux is enabled on the server, its security features will block the connection unless the port is also added there. Use this command, and insert the port number that was set in the sshd config file:

semanage port -a -t ssh_port_t -p tcp xxxx

Finally, the firewall will also need to be modified to allow the port through. If you used SSH for this guide, logging out before this last step will mean you can't log back in! Use this command, again substituting the port number used in the sshd config:

-A INPUT -m state --state NEW -m tcp -p tcp --dport xxxx -j ACCEPT


You can now securely connect to the server with SSH on the chosen port. If this guide was useful to you, share it with your friends!

How to change SSH port on Ubuntu 14

If you administer a remote server, then you’re doubtlessly familiar with Secure Shell, or SSH. It’s a protocol that was first designed in 1995 and is still the gold standard for secure remote login and monitoring of systems. The current version is SSH-2, which fixed many vulnerabilities present in the original SSH-1 protocol.

Because SSH is so ubiquitous, it’s also a common vector of attack for intruders. There are many methods for improving SSH security, including disabling password login (using a key instead) and disabling login as root. One can also use the obfuscation technique of simply changing your SSH port from the default 22 to something else. This has the added benefit of cutting down on the amount of automated bot attacks that clutter up your logs.

This guide will walk you through the process of changing the SSH port on a server running Ubuntu 14.

Getting Started

Confirm that you have the following before you follow this guide:
• 1 Node (Cloud Server or Dedicated Server) running a fresh installation of Ubuntu 14.
• Root access to the node.


sshd is the daemon that runs SSH on Linux. Its configuration file has many options that you can tweak to alter the daemon’s behavior on your machine. Open the file and edit it with the text editor of your choosing.

nano /etc/ssh/sshd_config

It’s a simple matter to change the Port 22 default to your port of choice.

# What ports, IPs and protocols we listen for
Port 22 <----------------------------------------------------------------------- Change this value (22) by the port you want # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes [...]

Of course, you'll have to make sure not to use a port that's already in use by the server. Additionally, avoid the well-known ports 0-1023 and the registered ports 1024-49151, as they are generally reserved for other protocols and services. 49152 through 65535 are your best bet for a new port for your SSH service.

Now, restart the SSH daemon so it will reflect the changes you've made.

service ssh restart


/etc/init.d/ssh restart

Naturally, you'll need to verify that the port is allowed in your firewall. Otherwise, as soon you log out, if the firewall is set to port 22 you won't be able to log back in again.

ufw allow xxxx/tcp

Make sure xxxx is the port you set in the ssh config file.


Now that you have changed SSH's default port, you can rest assured that your server is more secure. Remember to define the new port with the 'p' flag the next time you log into your server. If this guide was useful to you, share it with your friends!

How To Migrate Iptables Firewall Rules to a New Server

This guide will go over the basic steps you should take in order to transfer firewall rules from one server to another.

Getting started

You’ll need the following in place before getting started with this guide:
• 2 Node (Cloud Server or Dedicated Server)

You’ll be transferring rules from one to another, so if you like, make sure they each have different firewall rules before beginning the guide so as to demonstrate its effectiveness.


First, check current iptables rules on server1.

iptables -S

Output Sample:

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

You have the option to save server1’s iptables rules to a file. This is the command to do so.

iptables-save > iptables-rules-file

Now you can copy the file from server1 to server2. This is really all you’ll need to reinstate the rules on the other server.

scp iptables-rules-file root@ip.of.server.2:/root

Restore the rules on server2 from the file you just transferred.

iptables-restore < /root/iptables-rules-file

Review your iptables rules on server2 to make sure that they were indeed copied over.

iptables -S

Here's a sample of the output you should expect to see.

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT


With that, you should now have successfully migrated your iptables rules from one server to another. Refer to the man pages for iptables to get an idea of what else you can do with this versatile program. If you liked this KB article, please share it with your friends.

How to update an Ubuntu server using apt-get

Security in the cloud is paramount, and so it’s important to keep your server up to date. If you don’t regularly apply the latest security fixes and patches to your machine, then you run the risk of your server being compromised due to an easily preventable exploit.

When you’re running Ubuntu, the primary method to keep your server updated is by using apt-get, a package manager included with Ubuntu. apt-get makes it easy to grab the latest updates to any installed package.

Getting Started

Confirm that you have the following before you follow this guide:
• 1 Node (Cloud Server or Dedicated Server) running Ubuntu.

Additionally, it’s important to remember to backup your server and data on a regular basis, especially before making any substantial updates or upgrades to your system.


Basic commands

apt-get has a number of subcommands that you may find useful during server administration tasks. The following are the most common ones that you’ll use.

apt-get update
This command will inform your system of the latest packages extant in the repository. It downloads all lists of packages from any repositories installed on your system and then uses them to update your local copy. This will give your system information on the newest versions of packages and their dependencies.

apt-get upgrade
This command is the simplest way to update your system. It will check your package lists and download any detected new versions of packages existing on the machine. One caveat is that you have to have used apt-get update first.

apt-get dist-upgrade
Similar to the above, except this command will also intelligently handle dependencies. It has the ability to remove obsolete packages and add new ones.

Before you upgrade, apt-get will show all the packages that will be upgraded and ask for a confirmation. Simply press Y to confirm. If you’d like to see the full history of upgraded packages, point your text editor to /var/log/apt/history.log.

How to update OS version from a Ubuntu server using apt-get

First, you must make sure that your server packages are up to date. You can do this by running the command apt-get update && apt-get upgrade.

This command will start the upgrade process of the server. Conveniently for those running the system update over an ssh session, the server will provide you a new ssh port and connection in case you lose the initial connection.

Once the update process is ended, you will be prompted to reboot your server in order to apply the new kernel and any final modifications.