This tutorial shows my prefered first steps on a linux server. They are not the most secure settings however I think they provide a nice balance.
Make sure that you keep your system up to date. Software which is out of date contains most likely many security holes.
On an Arch Linux based system
will update your system. On Debian based systems:
apt-get update apt-get dist-upgrade
does the job.
On a Arch based system the command is:
useradd -m user_name
pacman -S sudo
apt-get install sudo
Open the sudo configuration file with:
Look for this lines:
## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL
Edit the second line to look like this:
%sudo ALL=(ALL) ALL
Now add your user to the sudo group with this command:
usermod -G sudo andreas
Now your system is ready to use sudo. Logout of the root user and log in with your normal account.
To disable the root user execute:
sudo passwd -l root
To improve the security of your remote connection it's recommended to use SSH keys to login to your server. In addition they provide the advantage that you don't have to type in your password everytime you want to login. All of the commands in step 3 are to be executed on the client not the server.
First we have to create a key pair with:
ssh-keygen -t rsa
The command will ask you a few questions. If you don't want to change any settings you can simply press enter on each of the questions.
Your key will get stored in ~/.ssh/id_rsa and your public key in ~/.ssh/id_rsa.pub make sure that you keep you key safe. The public key however can be shared freely.
Getting the public key to your server is quite easily achieved with th ssh-copy-id command
The command will prompt you for the password of the user on the server, after you've entered the password your public key will get copied to your server. You should now be able to login into your server without having to enter your password. Please test this before the next step.
To make SSH more secure we will make some change the ssh configuration file. The file is located in /etc/ssh/sshd_config open it with a text editor and look for this lines or something similar:
change them to look like this:
This will disable root logins and password authentication over ssh and change the port to 2222. While changing the port doesn't really increase the security it reduces the amount of failed logins because most bots check on port 22.
It's important that you have the SSH keys from the previous step working before you perform the next step.
And additionally add this line to limit the login to the users allowed. Multiple users get seperated with a space.
AllowUsers user1 user2
To make the changes workign you have to execute one last command:
On Arch Linux it's:
sudo systemctl restart sshd
sudo service ssh restart
This will restart the ssh daemon and apply the new configurations.
As a next step we'll install UFW (Unified Firewall). It's an application to configure iptables. I would like to learn iptables at some point but hadn't had time for it yet.
First install the package:
sudo apt install ufw
sudo pacman -S ufw
Now configure the firewall to your needs. If you're working on a remote server make sure that you allow traffic on the SSH port before you enable the firewall. Otherwise you will lock yourself out. To allow traffic trough a specific port (e.g. 2222) execute this command.
sudo ufw allow 2222
Once you've allowed all the necessary ports activate UFW with:
sudo ufw enable
To have it run at boot on an Arch system additionally execute:
sudo systemctl enable ufw
If you want to check which ports are open run:
sudo ufw status
and to close an open port:
sudo ufw deny 2222
You could use as well reject instead of deny then your server will tell the programme which tries to establish a connection that this port is closed. With deny it just drops the request and doesn't respond. It depends a bit on your usecase which one you would choose.
As a last security option we'll install Fail2Ban. This application blocks IP's when they have too many failed login attempts. I leave it's settings mostly default exept that I change the jail time to indefinitely.
Install the package with:
sudo apt install fail2ban
sudo pacman -S fail2ban
Then open the config file and change the line:
bantime = 10800
bantime = -1
Now all IP's will get banned forever. You can add your IP to the whitelist if you want.
Pay attention when you're modifying the permissions of your home folder. Your .ssh folder needs quite specific permissions in order to work. A mistake can easily lock you out of your server.
If you're dealing with a slow or unreliable connectio to the server use mosh instead of ssh. https://mosh.mit.edu/
Websites used to create this tutorial: