Secure Linux Server Setup on AWS

This guide outlines the process of setting up a secure Linux server on AWS, configuring system permissions, setting up GitHub repository backups, and automating backup processes. It is designed for secure management of departmental data with automatic daily backups to GitHub. This setup ensures minimal risk of data loss and proper user access management.

---

Table of Contents

1. Phase 1: Launch EC2 Instance
2. Phase 2: System Setup and User Management
3. Phase 3: GitHub Repository Setup
4. Phase 4: Backup Automation
5. Phase 5: Security Hardening
6. Phase 6: Verification and Testing
7. Troubleshooting
8. Security Considerations

---

Phase 1: Launch EC2 Instance

Step 1: Launch EC2 Instance

1. Login to AWS Console → Navigate to EC2 Dashboard.

2. Launch Instance:

   • Name: company-secure-server
   • AMI: Amazon Linux 2023 or RHEL 9
   • Instance Type: t3.micro (Free tier eligible)
   • Key Pair: Create new or select an existing key pair.
   • Security Group: Create a new one with these rules:
     • SSH (22) - Your IP only
     • HTTPS (443) - 0.0.0.0/0 (for GitHub access)
   • Storage: 20 GB gp3 (adjust as needed)

3. Launch Instance.

Step 2: Connect via SSH

# Replace with your key file and instance IP
chmod 400 your-key.pem
ssh -i "your-key.pem" ec2-user@your-instance-ip

---

Phase 2: System Setup and User Management

Step 3: Update System

sudo yum update -y
sudo yum install git -y

Step 4: Create Directory Structure

# Create company directory structure
sudo mkdir -p /company/{hr,dev,ops}
sudo mkdir -p /company/backups

# Set base permissions
sudo chmod 755 /company

Step 5: Create Groups and Users

# Create department groups
sudo groupadd hr_group
sudo groupadd dev_group
sudo groupadd ops_group

# Create HR users
sudo useradd -m -G hr_group hr_user1
sudo useradd -m -G hr_group hr_user2

# Create Dev users
sudo useradd -m -G dev_group dev_user1
sudo useradd -m -G dev_group dev_user2

# Create Ops users
sudo useradd -m -G ops_group ops_user1
sudo useradd -m -G ops_group ops_user2

# Set passwords (you'll be prompted)
sudo passwd hr_user1
sudo passwd hr_user2
sudo passwd dev_user1
sudo passwd dev_user2
sudo passwd ops_user1
sudo passwd ops_user2

Step 6: Configure Directory Permissions

# Set group ownership
sudo chgrp hr_group /company/hr
sudo chgrp dev_group /company/dev
sudo chgrp ops_group /company/ops

# Set permissions - group read/write, no access for others
sudo chmod 770 /company/hr
sudo chmod 770 /company/dev
sudo chmod 770 /company/ops

# Set sticky bit to ensure new files inherit group ownership
sudo chmod g+s /company/hr
sudo chmod g+s /company/dev
sudo chmod g+s /company/ops

---

Phase 3: GitHub Repository Setup

Step 7: Create Private GitHub Repository

1. Go to GitHub → Create a new repository.
   • Repository name: company-backups
   • Visibility: Private
   • Initialize: Don't initialize with README.

Step 8: Generate SSH Key for GitHub

# Generate SSH key for the server
ssh-keygen -t ed25519 -C "backup-server@company.com" -f ~/.ssh/github_backup

# Display public key to copy to GitHub
cat ~/.ssh/github_backup.pub

Step 9: Add SSH Key to GitHub

1. Copy the public key output.
2. Go to GitHub → Settings → SSH and GPG keys.
3. Click New SSH key, paste the public key, and save.

Step 10: Configure SSH for GitHub

# Create SSH config
cat >> ~/.ssh/config << EOF
Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/github_backup
    IdentitiesOnly yes
EOF

chmod 600 ~/.ssh/config

# Test SSH connection to GitHub
ssh -T git@github.com

---

Phase 4: Backup Automation

Step 11: Configure Git and Create Backup Script

# Configure git user (run as root since script runs as root)
sudo git config --global user.name "Company Backup System"
sudo git config --global user.email "backup@company.com"
sudo git config --global init.defaultBranch main

# Create backup script
sudo tee /usr/local/bin/department_backup.sh << 'EOF'
#!/bin/bash

# Configuration
BACKUP_DIR="/company/backups"
REPO_URL="git@github.com:yourusername/company-backups.git"
DATE=$(date +%Y-%m-%d)
DEPARTMENTS=("hr" "dev" "ops")

# Ensure backup directory exists
mkdir -p "$BACKUP_DIR"

# Initialize git repo if it doesn't exist
if [ ! -d "$BACKUP_DIR/.git" ]; then
    cd "$BACKUP_DIR"
    git init
    git remote add origin "$REPO_URL"

    # Create initial README
    echo "# Company Department Backups" > README.md
    echo "Automated daily backups of department data" >> README.md
    echo "Generated on: $(date)" >> README.md
    git add README.md
    git commit -m "Initial commit"
    git branch -M main
    git push -u origin main
fi

cd "$BACKUP_DIR"

# Create archives for each department
for dept in "${DEPARTMENTS[@]}"; do
    ARCHIVE_NAME="${dept}_${DATE}.tar.gz"

    # Check if department directory has content
    if [ "$(ls -A /company/$dept 2>/dev/null)" ]; then
        echo "Backing up $dept department..."
        tar -czf "$ARCHIVE_NAME" -C /company "$dept"

        # Add to git
        git add "$ARCHIVE_NAME"
    else
        echo "No data found in $dept department, skipping..."
    fi
done

# Commit and push if there are changes
if ! git diff --staged --quiet; then
    git commit -m "Daily backup - $DATE"
    git push origin main
    echo "Backup completed and pushed to GitHub - $DATE"
else
    echo "No changes to backup - $DATE"
fi

# Clean up old local backups (keep last 7 days)
find "$BACKUP_DIR" -name "*.tar.gz" -mtime +7 -delete

# Log the backup
echo "$(date): Backup process completed" >> /var/log/department_backup.log
EOF

# Make script executable
sudo chmod +x /usr/local/bin/department_backup.sh

Step 12: Test the Backup Script

# Create some test data
sudo mkdir -p /company/hr/documents /company/dev/projects /company/ops/configs
echo "HR test file" | sudo tee /company/hr/documents/test.txt
echo "Dev test file" | sudo tee /company/dev/projects/test.txt
echo "Ops test file" | sudo tee /company/ops/configs/test.txt

# Run backup script manually to test
sudo /usr/local/bin/department_backup.sh

Step 13: Schedule with Cron

# Edit root's crontab
sudo crontab -e

# Add this line to run daily at 2 AM
0 2 * * * /usr/local/bin/department_backup.sh >> /var/log/department_backup.log 2>&1

---

Phase 5: Security Hardening

Step 14: Configure SSH Security

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Recommended changes:
# PasswordAuthentication no
# PermitRootLogin no
# MaxAuthTries 3

# Restart SSH service
sudo systemctl restart sshd

Step 15: Setup Firewall

# Install and configure firewall
sudo yum install firewalld -y
sudo systemctl enable firewalld
sudo systemctl start firewalld

# Allow SSH only
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

---

Phase 6: Verification and Testing

Step 16: Test User Access

# Test as different users
sudo su - hr_user1
# Try to access hr directory (should work)
ls /company/hr
# Try to access dev directory (should fail)
ls /company/dev

# Exit and test with other users
exit

Step 17: Verify Backup Process

• Check GitHub repository for uploaded backups.
• Verify cron job: sudo crontab -l
• Check backup logs: sudo tail -f /var/log/department_backup.log

---

Troubleshooting

Common Issues:

• SSH Key Issues: Ensure GitHub SSH key is properly configured.
• Permission Denied: Check file permissions and group memberships.
• Git Push Fails: Verify repository URL and SSH configuration.
• Cron Not Running: Check cron service status: sudo systemctl status crond.

Useful Commands:

# Check user groups
groups username

# Check directory permissions
ls -la /company/

# Test SSH connection to GitHub
ssh -T git@github.com

# Check cron logs
sudo journalctl -u crond

---

Security Considerations

• Regular Updates: Keep system updated.
• Monitor Access: Review SSH logs regularly.
• Backup Verification: Periodically test backup restoration.
• Key Rotation: Rotate SSH keys periodically.
• Access Auditing: Monitor user access patterns.

---

This setup provides a secure, isolated environment for each department with automated daily backups to GitHub.