Systems - Secure Server

Best practices to secure a server.

ssh into server

ssh root@192.168.1.x

Update

apt update
apt dist-upgrade

Allow auto updates

apt install unattended-upgrades
dpkg-reconfigure --priority-low unattended-upgrades

NOTE: Select Yes.

Add a non-root user

adduser peter

Add non-root user to sudo group

usermod -aG sudo peter

Logout of root account

logout

Login with non-root account

Login using the peter user account.

Stop using passwords

Create authentication pair key

NOTE:

public key: Like a padlock.
private key: Like a key.

mkdir ~/.ssh && chmod 700 ~/.ssh

Logout

logout

Create public & private key in separate PC

ssh-keygen -b 4096

NOTE: The 4096 is the Size. Bigger is better!

No passphrase.
Press enter.
Press enter.

Check the Key

cd .ssh
ls

NOTE: This should display some files:

id_rsa: Private key.
id_rsa.pub: Public key.

Upload public key to server

#scp ~./ssh/id_rsa.pub peter@192.168.1.x:~/.ssh/authorized_keys
ssh-copy-id peter@192.168.1.x

NOTE: This will create an authorized_keys file in .ssh on the server.

Test logging into the Server

Try to log into server.

NOTE: This should allow access without asking for a password.

It is using the keys.

Lockdown usage of passwords

Passwords still work.

To stop this:

ssh peter@192.168.1.x
 
sudo vi /etc/ssh/sshd_config

NOTE: Make the following changes:

Port: Change from 22 to 717
AddressFamily inet: Only allow ipv4.
PermitRootLogin: Change to no.
PasswordAuthentication yes: Change to no.

Restart ssh service

sudo systemctl restart sshd

Test

Do not log out.

Open a new terminal window

ssh peter@192.168.1.x

NOTE: This should not work.

ssh peter@192.168.1.x -p 717

NOTE: This should work, as port was changed in config file.

Firewall

Check ports

sudo ss -tulpn

Install UFW

sudo apt install ufw
sudo ufw status

Allow SSH Access

sudo ufw allow 717
sudo ufw status

Enable Firewall

sudo ufw enable

NOTE: Press y.

Check Firewall Status

sudo ufw status

Test that the firewall allows access