This guide serves as the template for all my servers running Ubuntu 16.4. The default server installation needs additional configuration before being considered appropriate to use in production. Although it is popular to use automation tools nowadays, this guide does not. We will do everything by hand. This will be an artisanal server.
Prerequisites
This guide assumes that you this will be a remote server. This server should already have Ubuntu Server 16.04. This server needs to have an SSH server and you need have root access.
We will be using REMOTE_SERVER_IP
as placeholder for the IP address of the remote server. We USER_NAME
as the placeholder for your serves user name.
Remote Login
From your local computer connect to the remote server with ssh.
ssh root@REMOTE_SERVER_IP
Update the Server
Update the software repositories.
apt-get update
Install updated software
apt-get upgrade
Nano
Unless you have confidence with another terminal editor, you should use nano
. If nano is not already installed, you can install it easily.
apt-get install nano
Create a User
Running as root
is discouraged. Instead we will create a new user with sudo
privileges.
adduser USER_NAME
You will be asked to set the new user's password then a few other questions that can be left blank.
Now give this user sudo privileges.
usermod -aG sudo USER_NAME
Generate SSH Keys
If you already have SSH keys ready, skip this section.
On your local machine generate your pair of SSH keys.
ssh-keygen
You will be asked several questsion. Accept the default file location for the key. Answer the others as you wish.
Note: If you leave the passphrase blank, then your system will be less secure. Possession of the keys will be enough to gain access. Convenience is often the enemy of security.
Copy the Public Key
On your local machine copy your public SSH key to the remote server.
ssh-copy-id USER_NAME@REMOTE_SERVER_IP
Remember to use the password for the new user.
After the key has been successfully copied, log into the remote server as USER_NAME
.
ssh USER_NAME@REMOTE_SERVER_IP
Harden SSH
We are going to reconfigure our SSH server by editing sshd_config
.
sudo nano /etc/ssh/sshd_config
Check and make sure that public key authentication is enabled. Find the line that starts PubkeyAuthentication
. Make sure it is set you yes
.
PubkeyAuthentication yes
We want to disable password authentication. Find the line that starts PasswordAuthentication
. Set this to no
.
PasswordAuthentication no
We do not want root to be able to log in remotely. Find the line that starts PermitRootLogin
. Set this to no
PermitRootLogin no
Reload the SSH server. This may cause you to lose your SSH connection.
sudo service ssh restart
If you would like a more info about securing SSH, please read my post Hardening SSH
.
Fail2Ban
Fail2Ban is great an intrusion prevention tool. It can watch the logs and temporarily IP address based on suspicions activity. We want fail2ban to watch our SSH logs. If an IP makes to many bad requests we will temporarily ban them.
sudo apt-get install fail2ban
Copy the configuration files.
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the jail.local
and enable monitoring of SSH.
sudo nano /etc/fail2ban/jail.local
Find the [ssh] section. Change enable to true.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Then restart the service.
sudo systemctl restart fal2ban
The Firewall
Install the Uncomplicated Firewall(UFW).
sudo apt-get install ufw
Your firewall configuration will change as you add server programs. This guide only cares about the SSH server.
sudo ufw allow ssh
Then enable the firewall.
sudo ufw enable
If you would like a more detailed guide to UFW check out my post, A Guide to the Uncomplicated Firewall (UFW) for Linux
Conclusion
If have followed this guide you will have a basic server that is just a bit more secure.
Hello @mr-rigden, upv0t3
This is a free service for new steemit users, to support them and motivate them to continue generating valuable content for the community.
<3 This is a heart, or an ice cream, you choose.
:)
R4ND0M:
3706 9805 9111 3028
4767 5207 3563 3339
4366 6097 3730 8325
7293 5737 9528 8006