This tutorial shows my prefered first steps on a linux server. They are not the most secure settings however I think they provide a nice balance.

Make sure that you keep your system up to date. Software which is out of date contains most likely many security holes.

On an Arch Linux based system

pacman -Syu

will update your system. On Debian based systems:

apt-get update
apt-get dist-upgrade

does the job.

On a Arch based system the command is:

useradd -m user_name

On Ubuntu:

adduser user_name

On Arch:

pacman -S sudo

On Ubuntu:

apt-get install sudo

groupadd sudo

Open the sudo configuration file with:

visudo

Look for this lines:

## Uncomment to allow members of group sudo to execute any command
# %sudo   ALL=(ALL) ALL

Edit the second line to look like this:

%sudo   ALL=(ALL) ALL

Now add your user to the sudo group with this command:

usermod -G sudo andreas

Now your system is ready to use sudo. Logout of the root user and log in with your normal account.

To disable the root user execute:

sudo passwd -l root

To improve the security of your remote connection it's recommended to use SSH keys to login to your server. In addition they provide the advantage that you don't have to type in your password everytime you want to login. All of the commands in step 3 are to be executed on the client not the server.

First we have to create a key pair with:

ssh-keygen -t rsa

The command will ask you a few questions. If you don't want to change any settings you can simply press enter on each of the questions.

Your key will get stored in ~/.ssh/id_rsa and your public key in ~/.ssh/id_rsa.pub make sure that you keep you key safe. The public key however can be shared freely.

Getting the public key to your server is quite easily achieved with th ssh-copy-id command

ssh-copy-id username@server.ip.addresse

The command will prompt you for the password of the user on the server, after you've entered the password your public key will get copied to your server. You should now be able to login into your server without having to enter your password. Please test this before the next step.

To make SSH more secure we will make some change the ssh configuration file. The file is located in /etc/ssh/sshd_config open it with a text editor and look for this lines or something similar:

#Port 22
#PermitRootLogin no

and:

#PasswordAuthentication yes

change them to look like this:

Port 2222
PermitRootLogin no
PasswordAuthentication no

This will disable root logins and password authentication over ssh and change the port to 2222. While changing the port doesn't really increase the security it reduces the amount of failed logins because most bots check on port 22.

It's important that you have the SSH keys from the previous step working before you perform the next step.

And additionally add this line to limit the login to the users allowed. Multiple users get seperated with a space.

AllowUsers user1 user2

To make the changes workign you have to execute one last command:

On Arch Linux it's:

sudo systemctl restart sshd

on Ubuntu:

sudo service ssh restart

This will restart the ssh daemon and apply the new configurations.

As a next step we'll install UFW (Unified Firewall). It's an application to configure iptables. I would like to learn iptables at some point but hadn't had time for it yet.

First install the package:

sudo apt install ufw

or

sudo pacman -S ufw

Now configure the firewall to your needs. If you're working on a remote server make sure that you allow traffic on the SSH port before you enable the firewall. Otherwise you will lock yourself out. To allow traffic trough a specific port (e.g. 2222) execute this command.

sudo ufw allow 2222

Once you've allowed all the necessary ports activate UFW with:

sudo ufw enable

To have it run at boot on an Arch system additionally execute:

sudo systemctl enable ufw

If you want to check which ports are open run:

sudo ufw status

and to close an open port:

sudo ufw deny 2222

You could use as well reject instead of deny then your server will tell the programme which tries to establish a connection that this port is closed. With deny it just drops the request and doesn't respond. It depends a bit on your usecase which one you would choose.

As a last security option we'll install Fail2Ban. This application blocks IP's when they have too many failed login attempts. I leave it's settings mostly default exept that I change the jail time to indefinitely.

Install the package with:

sudo apt install fail2ban

or

sudo pacman -S fail2ban

Then open the config file and change the line:

bantime  = 10800

to

bantime  = -1

Now all IP's will get banned forever. You can add your IP to the whitelist if you want.

Pay attention when you're modifying the permissions of your home folder. Your .ssh folder needs quite specific permissions in order to work. A mistake can easily lock you out of your server.

If you're dealing with a slow or unreliable connectio to the server use mosh instead of ssh. https://mosh.mit.edu/

Websites used to create this tutorial:

Next Post Previous Post