====== Systems - Secure Server ======

[[Systems:Secure Server|Secure Server]]


Best practices to secure a server.

----

===== ssh into server =====

<code bash>
ssh root@192.168.1.x
</code>

----

===== Update =====

<code bash>
apt update
apt dist-upgrade
</code>

----

===== Allow auto updates =====

<code bash>
apt install unattended-upgrades
dpkg-reconfigure --priority-low unattended-upgrades
</code>

<WRAP info>
**NOTE:**  Select **Yes**.
</WRAP>


----

===== Add a non-root user =====

<code bash>
adduser peter
</code>

----

===== Add non-root user to sudo group =====

<code bash>
usermod -aG sudo peter
</code>

----

===== Logout of root account =====

<code bash>
logout
</code>

----

===== Login with non-root account =====

Login using the peter user account.

----

===== Stop using passwords =====

==== Create authentication pair key ====

<WRAP info>
**NOTE:**  

  * **public key**:  Like a padlock.
  * **private key**:  Like a key.

</WRAP>

<code bash>
mkdir ~/.ssh && chmod 700 ~/.ssh
</code>

----

==== Logout ====

<code bash>
logout
</code>

----

==== Create public & private key in separate PC ====

<code bash>
ssh-keygen -b 4096
</code>

<WRAP info>
**NOTE:**  The 4096 is the Size.  Bigger is better!

  * No passphrase.
  * Press **enter**.
  * Press **enter**.

</WRAP>

----

==== Check the Key ====

<code bash>
cd .ssh
ls
</code>

<WRAP info>
**NOTE:**  This should display some files:

  * **id_rsa**:  Private key.
  * **id_rsa.pub**:  Public key.

</WRAP>

----

==== Upload public key to server ====

<code bash>
#scp ~./ssh/id_rsa.pub peter@192.168.1.x:~/.ssh/authorized_keys
ssh-copy-id peter@192.168.1.x
</code>

<WRAP info>
**NOTE:**  This will create an **authorized_keys** file in **.ssh** on the server.
</WRAP>

----

==== Test logging into the Server ====

Try to log into server.

<WRAP info>
**NOTE:**  This should allow access without asking for a password.

  * It is using the keys.

</WRAP>

----

==== Lockdown usage of passwords ====

Passwords still work.

To stop this:

<code bash>
ssh peter@192.168.1.x

sudo vi /etc/ssh/sshd_config
</code>

<WRAP info>
**NOTE:** Make the following changes:

  * Port:  Change from 22 to 717
  * AddressFamily inet:  Only allow ipv4.
  * PermitRootLogin:  Change to **no**.
  * PasswordAuthentication yes:  Change to **no**.

</WRAP>


----

==== Restart ssh service ====

<code bash>
sudo systemctl restart sshd
</code>



==== Test ====

Do not log out.

Open a new terminal window

<code bash>
ssh peter@192.168.1.x
</code>

<WRAP info>
**NOTE:**  This should not work.
</WRAP>

<code bash>
ssh peter@192.168.1.x -p 717
</code>

<WRAP info>
**NOTE:**  This should work, as port was changed in config file.
</WRAP>


----

===== Firewall =====

==== Check ports ====

<code bash>
sudo ss -tulpn
</code>

----

==== Install UFW ====

<code bash>
sudo apt install ufw
sudo ufw status
</code>

----

==== Allow SSH Access ====

<code bash>
sudo ufw allow 717
sudo ufw status
</code>

----

==== Enable Firewall ====

<code bash>
sudo ufw enable
</code>

<WRAP info>
**NOTE:** Press **y**.
</WRAP>

----

==== Check Firewall Status ====

<code bash>
sudo ufw status
</code>

----

==== Test that the firewall allows access ====

Open a new terminal window

<code bash>
ssh peter@192.168.1.x -p 717
</code>

<WRAP info>
**NOTE:**  This should work.
</WRAP>

----

==== Allow other Firewall ports ====

<code bash>
sudo ufw allow 80/tcp
</code>

----

==== Stop Pings ====

<code bash>
sudo vi /etc/ufw/before.rules
</code>

  * Add a new line above this: <file bash /etc/ufw/before.rules>
->ok icmp codes for input
</file>

<code bash>
ufw-before-input -p icmp --icmp-type echo-request -j DROP
</code>

----

==== Reload UFW ====

<code bash>
sudo ufw reload
</code>

----

===== Reboot =====

<code bash>
sudo reboot
</code>

**NOTE:**  Test pinging the machine.