Securing Server
Things you can do to secure your server running the Hop Node
These are some things you can do to secure an Ubuntu server.
These are examples and it's recommended that do your own research to know what's best for your own server.
Keep the system up-to-date with the latest patches
sudo apt update -y && sudo apt full-upgrade -y
sudo apt autoremove -y && sudo apt autoclean
Create a non-root user with sudo privileges
sudo useradd -m -s /bin/bash alice
sudo passwd alice
sudo usermod -aG sudo alice
Copy authorized SSH hosts to new user
su - alice
sudo cp -r /home/ubuntu/.ssh .ssh
sudo chown -R alice:alice .ssh
End your current session and SSH into the new user and delete default user
pkill -u ubuntu
sudo userdel -r -f ubuntu
Edit SSH configuration
sudo vim /etc/ssh/sshd_config
In
sshd_config
file, make sure to have the following settings:PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no # This has been replaced by KbdInteractiveAuthentication in Ubuntu 22.04 and later
X11Forwarding no
Optional: Locate Port and customize it your random port. Use a random port # from 1024 through 49141. Check for possible conflicts.
Port <port number>
Verify changes and reload service
sudo sshd -t
sudo service ssh reload
Edit SSH configuration
sudo vim /etc/ssh/sshd_config
Edit or add
AllowUsers
with space separated usernamesAllowUsers alice
Reload SSH service
sudo service ssh reload
Disabling the
root
user account is a good ideasudo passwd -l root
Installing fail2ban will block out anyone who fails to repeatedly log in
sudo apt update
sudo apt install fail2ban -y
Create a local configuration file
sudo vim /etc/fail2ban/jail.local
Add the following config
[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Restart services and show status
sudo service fail2ban restart
sudo service fail2ban status
All incoming connections can be disallowed. Only outgoing connections need to be allowed.
systemctl start ufw.service
systemctl enable ufw.service
sudo ufw default deny
sudo ufw allow "<22 or your random port number>/tcp" comment "Allow SSH"
sudo ufw disable
sudo ufw enable
sudo ufw status
Check out the link below
Last modified 5mo ago