I started up my first AWS Lightsail instance. I am have some experience creating Digital Ocean droplets but I am new to AWS Lightsail. I picked the AWS Lightsail instance pre-loaded with Nginx VPS. When I make a new Digital Ocean droplet, I don't think it comes with a default user, I think it's just "root," but the first thing I do is make a new user, add this new user to the sudo group, and disable logging in as "root." My understanding is that this is a good practice for security, because an unknown username is 1 extra step against a security breach. If someone is looking around the internet for ssh ports and attempting to gain access, they will probably try logging in as "root." If there is no "root" login it doesn't even matter if the hacker gets a password or ssh key.

So when I noticed that AWS Lightsail comes pre-made with a user named "bitnami," I saw this as a security risk. What's even worse is that they provide you with a downloadable ssh key to login through a local terminal. If someone gets this ssh key, they already know that the username is "bitnami."

I've created a new user and added it to the sudo group with sudo adduser <MY NEW USER NAME>, then sudo usermod -aG sudo <MY NEW USER NAME>. I added my local ssh keys to the new user's "authorized_keys" file. So my question is, now that I have a new user in the sudo group with my local ssh key authorized, can I delete the "bitnami" user with sudo deluser --remove-home <MY NEW USER NAME> then sudo deluser <MY NEW USER NAME>? Is that safe and would this also render the default ssh key which I downloaded unusable?

CodePudding user response：

It is not recommended to delete the "bitnami" user because it may cause issues with updates and/or maintenance.

Instead, it is best practice to lock the "bitnami" user so that it can't be used to login. You can still create a new user and assign it to the sudo group.

Use the following command to lock the "bitnami" user

sudo passwd -l bitnami