Developer Docs v1
User Docs

Securing your Server

Things you can do to secure your server running the Bonder

These are a number of things you can do to secure an Ubuntu server.

These are examples and it's recommended that do your own research to know what's best for your own server.

Update your system

Keep the system up-to-date with the latest patches

sudo apt update -y && sudo apt full-upgrade -y
sudo apt autoremove -y && sudo apt autoclean

Create new user instead of using default user

Create a non-root user with sudo privileges

sudo useradd -m -s /bin/bash alice
sudo passwd alice
sudo usermod -aG sudo alice

Copy authorized SSH hosts to new user

su - alice
sudo cp -r /home/ubuntu/.ssh .ssh
sudo chown -R alice:alice .ssh

End your current session and SSH into the new user and delete default user

pkill -u ubuntu
sudo userdel -r -f ubuntu

Harden SSH config

Edit SSH configuration

sudo vim /etc/ssh/sshd_config

In sshd_config file, make sure to have the following settings:

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no # This is called `ChallengeResponseAuthentication` in versions prior to Ubuntu 22.04
X11Forwarding no

Optional: Locate Port and customize it your random port. Use a random port # from 1024 through 49141. Check for possible conflicts.

Port <port number>

Verify changes and reload service

sudo sshd -t
sudo service ssh reload

Only allow specific users for SSH

Edit SSH configuration

sudo vim /etc/ssh/sshd_config

Edit or add AllowUsers with space separated usernames

AllowUsers alice

Reload SSH service

sudo service ssh reload

Disable root account

Disabling the root user account is a good idea

sudo passwd -l root

Install fail2ban

Installing fail2ban will block out anyone who fails to repeatedly log in

sudo apt update
sudo apt install fail2ban -y

Create a local configuration file

sudo vim /etc/fail2ban/jail.local

Add the following config

[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Restart services and show status

sudo service fail2ban restart
sudo service fail2ban status

Firewall

All incoming connections can be disallowed. Only outgoing connections need to be allowed.

For example, if using UFW

systemctl start ufw.service
systemctl enable ufw.service

sudo ufw default deny
sudo ufw allow "<22 or your random port number>/tcp" comment "Allow SSH"
sudo ufw disable
sudo ufw enable
sudo ufw status

Add SSH 2FA

Check out the link below

pageAdd SSH 2FA

Last updated