I’ve really gotten into sysadmin stuff lately. I’m currently managing two different servers with an obsecene amount of resources (ie. no one man should have all that powah!). Since the learning journey has been quite extensive, I thought I would document my learnings in a series of articles. I will begin with argueably the most important topic that there is when it comes to remote servers: security.
General idea
The general idea behind server security is the whitelist-only approach, meaning that communication to the server is only accepted from authorized sources. It’s usually okay for the server itself to be able to reach out to the WAN though.
Reset root user password
In the case were your remote server was set up by some one else other than you, immediately change the root user’s password.
Never use a remote server where you don’t have root access in critical missions.
passwd
<enter old password>
<enter new password>
SSH
Key-based authentication
The primary way some accesses any remote machine is usually ssh and so we’ll begin by disabling password authentication. This will prevent password brute-force attacks.
Begin by creating an ssh key on your local machine and adding it to the keychain.
ssh-keygen -t ed25519 -C "[email protected]"
# Enter password
# Save in a secure location
eval "$(ssh-agent)"
ssh-add ~/path/to/key/from/first/command/above
Now attempt to connect to the server like so. You should log-in to your user without being prompted for password.
ssh user@your_server_ip
WARNING! Be absolutely certain that key-based authentication works before following the next step, otherwise you will be permanently locked out of your server and may have to trigger a system reinstall.
Next, open the the ssh daemon’s config file located at /etc/ssh/sshd_config and set PasswordAuthentication no, then restart the ssh service:
sudo systemctl restart sshd.service
There are some other settings here worth knowing about:
- You can prevent root access over ssh. This means to become root, you must first ssh into the server as a normal user before switching to root user. This is useful in cases where your ssh key is compromised, and you happen to have a strong root user password. However, if your user is somehow wiped or inaccessible, you will lose access to the machine altogether.
- You could also change the default ssh port. Some people recommend this, but I don’t see any security benefits at all. Any attacker worth their salt will quickly scan the server’s ports and find the alternative ssh port.
Fail2Ban
The final step to achieve decent ssh security is Fail2Ban. This is an application that will IP ban anyone who attempts brute-force an ssh login. Fail2Ban configuration is decent enough out of the box. Simply install the package and start the service:
sudo apt install fail2ban
sudo systemctl enable fail2ban.service --now
If you wish, you could take a look at the contents of /etc/fail2ban and modify some of the configuration parameters to suit your needs.
Firewall
Next, we will set up a whitelist-only firewall. This means that by default all access to the server will be blocked, save from the specific locations we allow. Linux firewall is a kernel component managed by the application iptables. However, instead of modifying the eponymous ip tables directly, we will do so through a simple and user-friend application by the name of ufw. Install the ufw package and enable its service file:
sudo apt install ufw
sudo systemctl enable ufw.service --now
The firewall service is up, but no rules are currently enforced. We need to first configure the policies and then enable the firewall through the application itself.
Let’s begin by setting default access policies. These are blanket rules that affect in/outcoming in a general way:
sudo ufw default allow outgoing # This allows the server to reach out to the external world without any restrictions.
sudo ufw default deny incmoing # This prevents all incoming traffic. Nobody will be able to reach the server in any way.
sudo ufw allow ssh # This opens all traffic on port 22 by default. If you change the default ssh port in the previous step, make sure to open that instead (sudo ufw allow ssh <port number>)
sudo ufw allow nginx # (optional) The nginx profile will automatically allow traffic on porst 80 and 443. This is how you will publish your applications over the internet.
WARNING! Ensure that you have white-listed the ssh port correctly. Otherwise you will lose access to the server altogether.
The End?
Congratulations, by this point your server is rather well secured from most outside threats. Keep your system updated (especially with security updates), use strong authentication, and disallow all unauthorized remote and/or physical access to the server. That is the essence of system security.
Resources
- LearnLinuxTV’s video on ufw configuration - https://www.youtube.com/watch?v=XtRXm4FFK7Q