Skip to content

Latest commit

 

History

History
123 lines (86 loc) · 2.58 KB

securing-server.md

File metadata and controls

123 lines (86 loc) · 2.58 KB
description
Things you can do to secure your server running the Bonder

{% hint style="info" %} Please note that this guide is written for Ubuntu 24.04. It also applies to all of the currently maintained Ubuntu releases. {% endhint %}

Securing your Server

These are a number of things you can do to secure an Ubuntu server.

{% hint style="info" %} These are examples and it's recommended that do your own research to know what's best for your own server. {% endhint %}

Update your system

Keep the system up-to-date with the latest patches

sudo apt update -y && sudo apt full-upgrade -y
sudo apt autoremove -y && sudo apt autoclean

Set up user configs

Disable the root user account and set a password for your account

sudo passwd -l root # While this is redundant when using Ubuntu, it is good practice to explicitly ensure that the account is disabled
sudo passwd ubuntu

Harden SSH config

Edit SSH configuration

sudo vim /etc/ssh/sshd_config

In sshd_config file, update the values below or ensure that they are already set to these values.

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no # In versions prior to Ubuntu 22.04, this is called `ChallengeResponseAuthentication`
X11Forwarding no

At the bottom of the file, add a new line to allow only your user to access the server.

AllowUsers ubuntu

Verify changes and reload service

sudo systemctl restart ssh

Install fail2ban

Installing fail2ban will block out anyone who fails to repeatedly log in

sudo apt install fail2ban -y

Create a local configuration file

sudo vim /etc/fail2ban/jail.local

Add the following config

[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Restart services and show status

sudo service fail2ban restart
sudo service fail2ban status

Firewall

All incoming connections can be disallowed. Only outgoing connections need to be allowed.

For example, if using UFW

sudo ufw default deny incoming
sudo ufw allow 22 comment "Allow SSH"
sudo ufw enable

Reset the server

The base configuration is now set up and enabled. Restart the server now to complete the update and upgrade of packages and associated config.

sudo reboot

Add SSH 2FA

Check out the link below

{% content-ref url="ssh-2fa.md" %} ssh-2fa.md {% endcontent-ref %}