I've mentioned it several times before and will probably mention it again: CentOS is no longer a viable option for anything that needs stability in my workflow, so I'm concentrating on the Debian-Ubuntu alternative. The first thing to do on any computer, especially one that faces the Internet, is to increase security. I'll review some of my steps for Ubuntu here.
This guide assumes that you are doing this on a clean Ubuntu machine with no prior installation or maintenance. It mainly focuses on SSH as it is a constantly running service on your server. If you install other services on your server, also review the security practices of those services.
Log in to your server via SSH. I have a few VPS machines for testing purposes so I'll use them for that.
xxx.xxx.xxx.xxx is your public (or private) IP address of the Ubuntu machine you want to connect to.
root ssh@xxx.xxx.xxx.xxxBefore you try any of these things, make sure you do a backup if you're doing this on the server that already has data on it. If you make a mistake, you can always go back to the previous state.
review software
Always my first step: update the software installation.
sudo apt-Updatesudo apt-Updatecreate new user
Using the root user (even with administrator) is not a good idea, especially if you are exposing a machine to the Internet. I'll create a user called zeljko and use it for all my administrative purposes. Later we will disable the root user.
add user zeljkoWe will also add the user zeljko to the sudo group.
usermod -aG sudo zeljkoand we will test if everything is ok.
First, let's switch from the registered root account to an account created by zeljko.
Instead of username, I put my account name - zeljko
Your usernameAfter changing your user from root to zeljko, let's also check if zeljko is now part of the sudo group by typing sudo
sudo whoamiThe command returned root, which means we have sudo privileges.
type
let goFirst, go back to the root account, and then log out of SSH. We will log in again with the created zeljko account and continue to manage our machine.
Also, it's an opportunity to see if all is well with our new user before continuing with the setup.
Enter ssh again, this time using your created account. I'm going in with Zeljko.
ssh zeljko@xxx.xxx.xxx.xxxLock root for SSH login
The first step is to remove the root account from the SSH protocol.
sudo nano /etc/ssh/sshd_configLocate the following line and change it to no
PermitRootLogin-NrSave the changes and exit the file.
Now let's restart the SSH server
Restart the sudo ssh serviceI tried to connect to the root user via ssh, but got a "Permission Denied" message. That's good.
Change SSH port and account lockout policy
While we're in the SSH setup, we'll also change the default SSH port from 22 to 222. This is optional, you can do it or not.
If you change the SSH port to 22, you can choose any port (as long as no other service is running on your server), it doesn't have to be 222.
This is mainly because it allows you to reduce the number of attacks from bots scanning common ports.
Before changing the SSH port, let's first check if the firewall is active. If the firewall is active we need to pass port 222, if not we do after configuring the firewall.
To check if the firewall is enabled, type
sudo ufw-statusMy firewall is down so I'll configure it later. If your firewall is active, enter the following:
This is probably enabled if you can login via ssh
Permitir sudo ufw sshAnd this is a new one that we need to not get locked out after changing the ssh port
sudo ufw allow 222Now we are going to change the port.
sudo nano /etc/ssh/sshd_configNow locate the following lines, delete them (remove #) and type the following
The port value changes the port from 22 to 222 and MaxAuthTries blocks the IP address if you enter incorrectly more than 5 tries (you can set a lower or higher value).
Porta 222MaxAuthTries 5Save and exit the file.
Restart the ssh service
Restart the sudo ssh serviceI immediately disconnected from my SSH session and tried to log in again, but the connection was refused.
The command we now need to log back into ssh is
ssh zeljko@xxx.xxx.xxx.xxx -p 222If you don't use port 222 and want to stick with the default port 22, you can omit the -p 222 option.
Alright, this part is done.
Other SSH settings
We'll go through a few more settings in the SSH configuration file, go through them, and see what suits your workflow.
so let's edit
sudo nano /etc/ssh/sshd_configProtocol 2
First, let's enable Protocol 2. SSH works by default with Protocol 1. Protocol 2 is a newer, more secure, and more robust version that was introduced in 2006.
Protocol 2Restart SSH
sudo systemctl reiniciar sshdTo test the setup, I disconnected my SSH session and tried protocol 1 first by entering the -1 switch
ssh -1 zeljko@xxx.xxx.xxx.xxx -p 222I got the error "SSH v.1 protocol is no longer supported"; this is fine and means that protocol 1 stopped working on our machine.
When I try to login with option -2
ssh -2 zeljko@xxx.xxx.xxx.xxx -p 222This worked and I was able to login. You can omit the -2 option from your ssh login command, it works normally.
idle timeout value
Leaving your PC unattended for a while while your SSH connections are active could be a problem. To be honest, I don't find this setting all that important because an open SSH connection is the least of my worries if someone gets physical access to my PC.
If you want, you can uncomment and set the following value (I set it to 180 seconds, which is 3 minutes).
ClientAliveInterval 180Restrict SSH access to some users
You can define user accounts that are enabled to connect with SSH. All other users would be rejected. I will allow access to two users, zeljko and informataticar.
Add the following line to your sshd_config file
AllowUsers zeljko ITYou need to restart the ssh service after adding this
sudo systemctl reiniciar sshdFirewall-Settings
Ok, we looked at this a bit by configuring the custom port for SSH.
You can check the status of your firewall by typing the following
sudo ufw-statusWe have already established that my firewall is not active.
First we will allow outgoing connections but we will block incoming connections.
sudo ufw allows output by default sudo ufw denies input by defaultWe need to pass SSH (if you haven't changed the default port 22 to 222)
Permitir sudo ufw sshSince I changed the default SSH port to 222, I need to allow port 222 in without the above default SSH rule.
sudo ufw allow 222Now we can activate our firewall
enable sudo ufwNow if we check our ufw status
sudo ufw-statusAfter that, I rebooted the server and logged in to SSH again with no problem.
Completely disable the root account on your system
In addition to disabling root user login via SSH, you can also completely disable the root account on your system.
To disable the root account, type the following
sudo passwd -l rootIf you need to reactivate your root user, you can do so by typing the following
sudo root passwordYou will need to enter the new password for the user twice and it will be reactivated.
enable 2FA
You should make a habit of this, as it takes the security of your Internet-facing servers to a whole new level.
We install Google Authenticator
sudo apt install libpam-google-authenticatorWe need to change the /etc/pam.d/sshd file to allow Google Authenticator...
sudo nano /etc/pam.d/sshdadd the following line
Authentication required pam_google_authenticator.soI added a line at the end of the file.
The next file we need to edit is
sudo nano /etc/ssh/sshd_configChange the following line to yes
ChallengeResponseAuthentication JaNow we are going to configure Google Authenticator for the user zeljko
Just enter it in the terminal
Google AuthenticatorTime-based tokens – and
After entering and on the first question, you will receive your QR code and backup codes. Open Google Authenticator on your Android/iPhone and scan the QR code. Also write down the verification and emergency codes.
update the .google_authenticator file –y
Prohibit multiple uses and
Allows viewing for up to 4 minutes - n.a
Enable rate limiting - y
Now let's restart the ssh service
Restart the sudo ssh serviceI'll also try logging out of my SSH session and hope for the best when I try to log in again.
Success, my verification code was accepted.
Passwordless authentication over SSH
You can also enable public key authentication instead of passwords if you frequently log in to your servers from the same computer. It is highly recommended and safe when used correctly. If you want to use this, you can take a look at it.my blog post about this type of authentication.
Install Fail2Ban
Fail2Ban is IPS (Intrusion Prevention System) and monitors system logs and checks for unusual behavior and login attempts. When it detects multiple failed login attempts, it blacklists the IP address the requests came from.
To install Fail2Ban
sudo apt-get install fail2banLet's check the status of the fail2ban service
sudo-dienst fail2ban-statusNow let's create a new jail.local file. The /etc/fail2ban folder contains the jail.conf file, we will not edit this file and we will not touch it. Let's create the jail.local file as follows
sudo nano /etc/fail2ban/jail.localdd after this file. If your ssh is on port 22, you should specify it instead of port 222. Also, instead of xxx.xxx.xxx.xxx you can put your IP address if you have a fixed one.
[DEFAULT] Bantime = 8h Ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx Ignoreself = True [sshd] ativado = True Port = 222 Filter = sshd Logpath = /var/log/auth.log maxretry = 3save file and exit
Restart fail2ban
sudo systemctl reset fail2banTo list the offender blocked, enter
sudo iptables -L f2b-sshd --line numbersTo remove the ban, enter
sudo iptables -D fail2ban-ssh <string number>Install antivirus protection
This is a hotly debated topic in the Linux community: should I install an antivirus on Linux or not?
It is completely up to you, you have to assess your risks and the type of workload you will be handling and in the end decide if you want AV on your Linux. There are not many good AV solutions for Linux that I can recommend or know about... Ubuntu official website mentions AVAST, NOD32, F-PROT, Panda, Sophos, Symantec... Some of them are only compatible with certain versions of Linux supported.
ClamAV is a free antivirus program, to install it run the following
apt-get install clamav clamav-daemon -yTo update it, we must first stop the service.
systemctl detiene clamav-freshclamUpdate the database with the following command
fresh musselRestart the service by running it
systemctl iniciar clamav-freshclamsystemctl habilitar clamav-freshclamPlease visit the web for more details of ClamAV on scanning, maintenance, etc.
The second thing to note is rkhunter, which can run a quick scan for rootkits.
apt-get install rkhunterTo scan your system, run it
rkunter-CDiploma
These are the most basic tips to get you started. For each service you enable on your server, check the documentation and the web: find best practices and security tips and make sure you implement them. Do your research and make sure you have the best measurements for your situation and workload. Absolute security does not exist in the IT world, but at least known risk can be minimized.
Disclaimer