As soon as you provision a new server, you should focus on securing it as quickly as possible. This is mostly common for all sorts of projects you might deploy later.
The main things are disabling root login, enabling only ssh login, creating a non-root user, blocking all ports for incoming traffic except for the required ones etc.
Recently I got one server for hosting my wiki at
Change root password using
Create a non-root user with sudo privilege:
adduser blahuser usermod -aG sudo blahuser
Delete ssh keys listed in /root/.ssh/authorized_keys file and add your local public ssh key to the
blahuser using this command from your local computer.
Logout and login as the non-root user using
Now, you’ll be able to ssh as only
blahuser and not as root user.
sudo apt-get update and
sudo apt-get upgrade.
/etc/ssh/sshd_config file with sudo and make these line changes:
PermitRootLogin no PasswordAuthentication no Port 22 (change this to some random valid port number)
And then restart the ssh service with
sudo systemctl restart sshd.
Install Fail2Ban with
sudo apt-get install fail2ban.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo fail2ban-client status to check the list of enabled jails (you should see sshd).
Enable it and restart it with:
sudo systemctl enable fail2ban sudo systemctl restart fail2ban sudo systemctl status fail2ban
Follow instructions in https://help.ubuntu.com/lts/serverguide/automatic-updates.html to setup automatic security updates.
After editing the
50unattended-upgrades file, make sure to enable it with
sudo dpkg-reconfigure --priority=low unattended-upgrades. This will create the
setup firewall with ufw
sudo apt-get install ufw sudo ufw enable # main rules sudo ufw default allow outgoing sudo ufw default deny incoming sudo ufw deny 22 sudo ufw allow xxxx sudo ufw allow 80/tcp sudo ufw allow http/tcp sudo ufw allow https sudo ufw allow 1725/udp sudo systemctl enable ufw sudo systemctl start ufw sudo ufw status
Make sure to DENY port 22 and ALLOW the port you set for ssh in the ssh config file above! (xxxx)
And then finally, make sure to
- setup email from server