Server security.md

Update && Updage

sudo apt update && sudo apt upgrade && sudo reboot

Create new user

useradd -m -s /bin/bash foo
passwd bar
usermod -aG sudo foo

SSH authorization

ssh-keygen -t rsa
ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]

Test

ssh [email protected]

Disable password login

sudo nano /etc/ssh/sshd_config

LoginGraceTime 0
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin no
PermitRootLogin prohibit-password

sudo systemctl reload ssh

Test

ssh [email protected] -o PubkeyAuthentication=no

Firewall

sudo apt install ufw

sudo ufw limit 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

Block ping (ICMP) requests

Edit /etc/ufw/before.rules

# commenting the lines below to block ping requests (icmp protocol) by ufw

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

Fail2Ban

sudo apt install fail2ban
sudo nano /etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

pvaviloff/Server security.md

Update && Updage

Create new user

SSH authorization

Firewall

Block ping (ICMP) requests

Fail2Ban