Prasanna Natarajan

Hardening a new server

As soon as you provision a new server, you should focus on securing it as quickly as possible. This is mostly common for all sorts of projects you might deploy later.

The main things are disabling root login, enabling only ssh login, creating a non-root user, blocking all ports for incoming traffic except for the required ones etc.

Recently I got one server for hosting my wiki at . I followed these steps to secure it before going on to install docuwiki.

The steps

Change root password using passwd command.


Create a non-root user with sudo privilege:

adduser blahuser
usermod -aG sudo blahuser

Delete ssh keys listed in /root/.ssh/authorized_keys file and add your local public ssh key to the blahuser using this command from your local computer.

ssh-copy-id blahuser@ip

Logout and login as the non-root user using reboot.

Now, you’ll be able to ssh as only blahuser and not as root user.


Obligatory sudo apt-get update and sudo apt-get upgrade.


ssh

Edit the /etc/ssh/sshd_config file with sudo and make these line changes:

PermitRootLogin no
PasswordAuthentication no
Port 22 (change this to some random valid port number)

And then restart the ssh service with sudo systemctl restart sshd.


fail2ban

Install Fail2Ban with sudo apt-get install fail2ban.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Use sudo fail2ban-client status to check the list of enabled jails (you should see sshd).

Enable it and restart it with:

sudo systemctl enable fail2ban
sudo systemctl restart fail2ban
sudo systemctl status fail2ban

automatic updates

Follow instructions in https://help.ubuntu.com/lts/serverguide/automatic-updates.html to setup automatic security updates.

After editing the 50unattended-upgrades file, make sure to enable it with sudo dpkg-reconfigure --priority=low unattended-upgrades. This will create the /etc/apt/apt.conf.d/20auto-upgrades file.


setup firewall with ufw

https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/

sudo apt-get install ufw
sudo ufw enable

# main rules
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw deny 22
sudo ufw allow xxxx
sudo ufw allow 80/tcp
sudo ufw allow http/tcp
sudo ufw allow https
sudo ufw allow 1725/udp

sudo systemctl enable ufw
sudo systemctl start ufw
sudo ufw status

Make sure to DENY port 22 and ALLOW the port you set for ssh in the ssh config file above! (xxxx)


And then finally, make sure to sudo reboot.


Pending stuff

  • setup email from server