Initial Configuration To Secure New Server
August 3, 2022
Essential first steps to secure a new Linux server — user setup, SSH configuration, and firewall rules.
Server or in Indonesian is called Server is a computer device or program provides services for other programs or devices which are called clients. Servers can be distinguished based on their types as database servers, file servers, mail servers, web servers and others.
One server can serve many clients, so securing the server is important to keep server services running. This article describes the first steps you must take to secure your server, including user settings, configuring ssh and a firewall.
In this case, use Amazon Web Service (AWS) as the server. You can use other VPS or cloud computing providers such as Microsoft Azure, Google Cloud (GCP), Digitalocean and others. Log in to the server using the connection method according to the service used, usually as root.
User security configuration
When you are logged in as root on the server, start by creating a new user and SSH-based access authorization for the SSH Key pair.
Create a new user and enter a password, other info is optional
codeCopy# adduser aditya
Login as a user that has been created
codeCopy# su aditya
Create a .ssh directory in the user directory if it doesn’t already exist
codeCopy$ mkdir /home/aditya/.ssh
Create an authorized_keys file in the .ssh directory and leave the terminal tab open.
Make sure the permissions for the ssh 700 directory and the authorized_keys 600 file.
codeCopy$ vim .ssh/authorized_keys
Open a new terminal tab on the local, create a key with the name of the key as desired in the .ssh folder
As a little extra, upgrade the algorithm for SSH Key using ED25519. The commonly used algorithms such as DSA or RSA have now been deprecated. You can read more info here.
codeCopy$ ssh-keygen -o -a 100 -t ed25519 -f id_key_myserver
Copy the contents of the public key id_key_myserver.pub and paste it into the server’s authorized_keys file on the terminal tab
If appropriate, exit the SSH server and log in as a new user using the private key id_key_myserver
codeCopy$ ssh -i <PATH id_rsa file> <USERNAME>@<IP SERVER>
$ ssh -i ~/.ssh/id_key_myserver aditya@10.10.10.10
Configure SSH Security
Configure SSH
We’ll be configuring SSH to be a little more secure by enforcing the use of SSH key-based access and ensuring that the root user cannot log in via SSH directly.
Open the file /etc/ssh/sshd_config with an editor
codeCopy$ vim /etc/ssh/sshd_config
Find and change several fields as follows
codeCopy# Urgent
PermitRootLogin no
PasswordAuthentication no
# Double check this section
PubkeyAuthentication yes
PermitEmptyPasswords no
# Optional
AllowUsers aditya #hanya user tertentu yang diizinkan
AllowGroups sudo ssh #hanya group sudo dan ssh yang diizinkan
Then restart the ssh service
codeCopy$ sudo service ssh restart
Configure Fail2ban
We will also use fail2ban, which will check the /var/log/auth.log file for repeated SSH login failures and prohibit logins from the source (IP) of those logins, this will provide extra protection against brute-based SSH access. force.
Install fail2ban
codeCopy$ sudo apt-get install -y fail2ban
Make sure the configuration in the file /etc/fail2ban/jail.d has an sshd configuration like this:
codeCopy[sshd]
enabled = true
If so, then fail2ban will do its job.
Configure Firewalls Security (Optional)
This section is optional, because usually cloud service providers have implemented security systems such as firewalls. For example, on AWS there is a Security Group which acts as a virtual firewall to control incoming and outgoing traffic.
To view firewall rules, run the command sudo iptables -L -v.
We’ll add this to the input chain, which controls incoming (ingress) traffic:
codeCopysudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -j DROP
We have added some rules above, including port 22 for SSH and port 80 for HTTP. In addition, you can also enter rules to specific locations such as the port for this HTTPS:
codeCopysudo iptables -I INPUT 5 -p tcp --dport 443 -j ACCEPT
Finally, we need to make these rules run on reboot:
codeCopy# Instal ini akan menyimpan aturan saat ini
sudo apt-get install -y netfilters-persistent
That’s it! We’ve already taken the first steps in securing our new server.
Credit
- icon: designed by Pixelmeetup from Flaticon