F. Server Security

  • Views Views: 4,050
  • Last updated Last updated:
    • Star    Help Promote PG On GITHUB! Click the STAR; then AGAIN on the GITHUB

    Want To Donate & Support PG? [ Upgrade Your Account Today ]



    1527530594016.png

    By: @Deiteq - PG Founder (Areas of Expertise: Security & PG Drive Encryption)

    Protecting Your Server


    In general....

    Root Password

    First thing to do if you were given a root password from you Server/VPS provider (especially via email) is to change it, please type:-
    passwd

    Type your chosen password twice (don't worry if you do not see the cursor move, it's meant to stay blank for security reasons) and you should see something like this:

    passwd.JPG

    Sudo User Account

    Next we want to create a SUDO user account as it's not a good idea to access and run everything with root!

    Remember to change YOUR-USERNAME to whatever you want

    useradd -m -d /home/YOUR-USERNAME YOUR-USERNAME
    usermod -aG sudo YOUR-USERNAME


    Here we create a password for your new user (ideally different from your root password)
    passwd YOUR-USERNAME
    su YOUR-USERNAME
    sudo usermod -s /bin/bash YOUR-USERNAME
    ### Switch to new user home folder ###
    cd ~

    Example to compare against:-

    user.JPG
    To exit out of your new user or ssh you can type exit and to change user just type su YOUR-USERNAME

    PlexGuide Install

    Now we need to install PlexGuide so that Fail2Ban and UFW are installed automatically. NOTE: This step can be skipped if you have already installed PlexGuide

    CLICK HERE for methods and come back after you've installed it using the plexguide command.

    You're nearly done, 3 more important steps to take!

    Fail2Ban

    CLICK HERE to set up the Fail2Ban Ban Hammer and come back afterwards.

    UFW

    UFW is your firewall, we'll just show you the minimum steps needed to protect your Server

    sudo ufw status
    sudo ufw default allow outgoing
    sudo ufw default deny incoming


    Make sure to allow ssh or you will not be able to login!
    sudo ufw allow ssh
    sudo ufw enable

    ### If you are having problems with Docker ignoring UFW do the following ###

    Change UFW defaults
    sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
    sudo ufw reload


    create this file
    sudo nano /etc/docker/daemon.json

    replace all with this
    {
    "dns": ["8.8.8.8", "8.8.4.4"],
    "iptables": false
    }


    Edit UFW rules
    sudo nano /etc/ufw/before.rules

    add this before filter
    #NAT for Docker
    *nat
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
    COMMIT


    sudo reboot now



    ufw.JPG
    Plenty more info out there if you want to make your server even more secure!

    Here are two you can have a read of:-

    Reference 1: https://www.cyberciti.biz/faq/howto-configure-setup-firewall-with-ufw-on-ubuntu-linux/

    Reference 2: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04

    Reboot your Server and login using your new user account as we will switch off root access in the next step!

    sudo reboot

    SSH Root Access

    Finally, we should block root login via ssh as this is what bots tend to hack first!

    sudo nano /etc/ssh/sshd_config
    Look for PermitRootLogin yes and change the yes to no like this:-

    permitroot.JPG

    Now to activate it we need to restart the ssh service with:-
    sudo service ssh restart

    SSH Key Method


    If you are using Windows 10 you can install Bash terminal found in Ubuntu HERE

    Now lets first create a key
    ssh-keygen -b 2048
    If you choose to have a Passphrase then remember that you will need to use it everytime you connect to your remote server (you can leave it blank if you know that your laptop/pc will be safe)

    Then we want to copy it to our remote server (change username and ip-address/domain to your server)
    ssh-copy-id username@ip-address/domain
    Or like this if you changed the SSH port previously (2233 is an example!)
    ssh-copy-id -p 2233 username@ip-address/domain

    Type in Passphrase if you made one and then yes followed by your remote server user password when/if prompted
    sshkey.JPG
    Now we can login with:
    ssh username@ip-address/domain
    Or depending
    ssh -p 2233 username@ip-address/domain

    If you have multiple servers that you want to SSH into, then try this (type exit if you were logged in to your remote server from earlier):-
    cd ./ssh
    Now you can use vim or nano (nano is easier for noobs!)
    nano config
    Or vi config (vim you need to hit the i key to INSERT text then hit the ESC key to exit INSERT and finally hit these 3 keys to save and quit :wq)

    Add the following for each server, obviously changing:-
    choose-name
    ip-address/domain
    username

    2233 (if you changed your port)
    Code:
    host choose-name
    hostname ip-address/domain
    user username
    port 2233
    nano
    ssh-config.JPG

    vim
    ssh-config-vim.JPG

    chmod 600 config

    ssh chosen-name
    (or ssh -p 2233 chosen-name if forgot to add the port to the config)
    For me it'll be ssh myserver

    Now you should be all set to access your servers with ease!


    For further reading check out the following:-
    Info on securing servers via this blog: https://blog.devolutions.net/2017/4/10-steps-to-secure-open-ssh

    Digital Ocean advice: https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers

    Attachments