Hop Docs
Developer Docs
Search…
⌃K
Links

Securing Server

Things you can do to secure your server running the Hop Node
These are some things you can do to secure an Ubuntu server.
These are examples and it's recommended that do your own research to know what's best for your own server.

Update your system

Keep the system up-to-date with the latest patches
sudo apt update -y && sudo apt full-upgrade -y
sudo apt autoremove -y && sudo apt autoclean

Create new user instead of using default user

Create a non-root user with sudo privileges
sudo useradd -m -s /bin/bash alice
sudo passwd alice
sudo usermod -aG sudo alice
Copy authorized SSH hosts to new user
su - alice
sudo cp -r /home/ubuntu/.ssh .ssh
sudo chown -R alice:alice .ssh
End your current session and SSH into the new user and delete default user
pkill -u ubuntu
sudo userdel -r -f ubuntu

Harden SSH config

Edit SSH configuration
sudo vim /etc/ssh/sshd_config
In sshd_config file, make sure to have the following settings:
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no # This has been replaced by KbdInteractiveAuthentication in Ubuntu 22.04 and later
X11Forwarding no
Optional: Locate Port and customize it your random port. Use a random port # from 1024 through 49141. Check for possible conflicts.
Port <port number>
Verify changes and reload service
sudo sshd -t
sudo service ssh reload

Only allow specific users for SSH

Edit SSH configuration
sudo vim /etc/ssh/sshd_config
Edit or add AllowUsers with space separated usernames
AllowUsers alice
Reload SSH service
sudo service ssh reload

Disable root account

Disabling the root user account is a good idea
sudo passwd -l root

Install fail2ban

Installing fail2ban will block out anyone who fails to repeatedly log in
sudo apt update
sudo apt install fail2ban -y
Create a local configuration file
sudo vim /etc/fail2ban/jail.local
Add the following config
[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Restart services and show status
sudo service fail2ban restart
sudo service fail2ban status

Firewall

All incoming connections can be disallowed. Only outgoing connections need to be allowed.
For example, if using UFW
systemctl start ufw.service
systemctl enable ufw.service
sudo ufw default deny
sudo ufw allow "<22 or your random port number>/tcp" comment "Allow SSH"
sudo ufw disable
sudo ufw enable
sudo ufw status

Add SSH 2FA

Check out the link below