Just some stuff about me.
Here's my dotfiles repository.
What links here:
Server Hardening
Create a new user with sudo rights
adduser sammy
usermod -aG sudo sammy
ssh-keygen
Generate SSH key (at own computer)
ssh-copy-id sammy@your_server_ip
Test login
ssh sammy@serverip -p PORT
Configure SSH
sudo nano /etc/ssh/sshd_config
PermitRootLogin no > ChallengeResponseAuthentication no > PasswordAuthentication no > PermitEmptyPasswords no
change SSH Port
Restart:
sudo systemctl restart sshd
Install fail2ban
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
# input by stefan
# one day
findtime = 5400 ;1.5 hours
maxretry = 5
bantime = 86400 ;1 day
# input by stefan, longterm ban
# 30 attempts over 3 days result in a 1 week ban
[sshlongterm2]
port = ssh
logpath = %(sshd_log)s
banaction = iptables-multiport
findtime = 259200 ;3 days
maxretry = 10
bantime = 604800 ;1 week
enabled = true
filter = sshd
[sshlongterm3]
enabled = true
filter = sshd
findtime = 15552000 ;6 months
maxretry = 15
bantime = 2592000 ;1 month
logpath = %(sshd_log)s
banaction = iptables-multiport
sudo apt update && sudo apt upgrade
Install and configure UFW
ufw allow ssh
ufw allow http
ufw allow https
Deactivate sudo for your account, check if login for root via ssh is deactivated If you need root privileges, use root. Everything else should be covered under group policy.
Check open ports
netstat -uplant