, CC BY-SA
Nowadays, raising a server on a hosting is a matter of a couple of minutes and a few mouse clicks. But immediately after launch, he finds himself in a hostile environment, because he is open to the entire Internet like an innocent girl in a rocker disco. Scanners will quickly find it and detect thousands of automatically scripted bots that scour the network looking for vulnerabilities and misconfigurations. There are a few things you should do right after launch to ensure basic protection.
Content
Non-root user
The first step is to create a non-root user for yourself. The point is that the user root absolute privileges in the system, and if you allow him remote administration, then you will do half the work for the hacker, leaving a valid username for him.
Therefore, you need to create another user, and disable remote administration via SSH for root.
A new user is started by the command useradd:
useradd [options] <username>
Then a password is added for it with the command passwd:
passwd <username>
Finally, this user needs to be added to a group that has the right to execute elevated commands sudo. Depending on the Linux distribution, these may be different groups. For example, in CentOS and Red Hat, the user is added to the group wheel:
usermod -aG wheel <username>
In Ubuntu it is added to the group sudo:
usermod -aG sudo <username>
Keys instead of SSH passwords
Brute force or password leaks are a standard attack vector, so it's best to disable password authentication in SSH (Secure Shell) and use key authentication instead.
There are various programs for implementing the SSH protocol, such as и , but the most popular is OpenSSH. Installing the OpenSSH client on Ubuntu:
sudo apt install openssh-clientServer installation:
sudo apt install openssh-serverStarting the SSH daemon (sshd) on the Ubuntu server:
sudo systemctl start sshdAutomatically start the daemon on every boot:
sudo systemctl enable sshd
It should be noted that the server part of OpenSSH includes the client part. That is, through openssh-server you can connect to other servers. Moreover, from your client machine, you can start an SSH tunnel from a remote server to a third-party host, and then the third-party host will consider the remote server as the source of requests. A very handy feature for masking your system. See article for details .
On a client machine, it usually makes no sense to install a full-fledged server in order to prevent the possibility of remote connection to a computer (for security purposes).
So, for your new user, you first need to generate SSH keys on the computer from which you will access the server:
ssh-keygen -t rsa
The public key is stored in a file .pub and looks like a string of random characters that starts with ssh-rsa.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Then, from under root, create an SSH directory on the server in the user's home directory and add the SSH public key to the file authorized_keys, using a text editor like Vim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keysvim /home/user_name/.ssh/authorized_keysFinally, set the correct permissions for the file:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keysand change ownership to this user:
chown -R username:username /home/username/.sshOn the client side, you need to specify the location of the secret key for authentication:
ssh-add DIR_PATH/keylocationNow you can log in to the server under the username using this key:
ssh [username]@hostnameAfter authorization, you can use the scp command to copy files, the utility to remotely mount a file system or directories.
It is advisable to make several backup copies of the private key, because if you disable password authentication and lose it, then you will not have any way to log into your own server at all.
As mentioned above, in SSH you need to disable authentication for root (this is the reason we started a new user).
On CentOS/Red Hat we find the line PermitRootLogin yes in the config file /etc/ssh/sshd_config and change it:
PermitRootLogin no
On Ubuntu add the line PermitRootLogin no to the config file 10-my-sshd-settings.conf:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confAfter verifying that the new user is authenticating with their key, you can disable password authentication to eliminate the risk of password leakage or brute force. Now, in order to access the server, an attacker will need to get a private key.
On CentOS/Red Hat we find the line PasswordAuthentication yes in the config file /etc/ssh/sshd_config and change it like this:
PasswordAuthentication no
On Ubuntu add the line PasswordAuthentication no to file 10-my-sshd-settings.conf:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confFor instructions on enabling two-factor authentication via SSH, see .
firewall
The firewall ensures that only the traffic on the ports that you directly allow will go to the server. This protects against exploitation of ports that are accidentally enabled with other services, which greatly reduces the attack surface.
Before installing a firewall, you need to make sure that SSH is included in the exclusion list and will not be blocked. Otherwise, after starting the firewall, we will not be able to connect to the server.
Ubuntu distribution comes with Uncomplicated Firewall (), and with CentOS/Red Hat - .
Allowing SSH in the firewall on Ubuntu:
sudo ufw allow ssh
On CentOS/Red Hat use the command firewall-cmd:
sudo firewall-cmd --zone=public --add-service=ssh --permanentAfter this procedure, you can start the firewall.
On CentOS/Red Hat, start the systemd service for firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalldOn Ubuntu we use the following command:
sudo ufw enable
Fail2Ban
Service analyzes logs on the server and counts the number of access attempts from each IP address. The settings specify the rules for how many access attempts are allowed for a certain interval - after which this IP address is blocked for a specified period of time. For example, let's allow 5 failed SSH authentication attempts within 2 hours, then block the given IP address for 12 hours.
Installing Fail2Ban on CentOS and Red Hat:
sudo yum install fail2banInstallation on Ubuntu and Debian:
sudo apt install fail2banRun:
systemctl start fail2ban
systemctl enable fail2ban
The program has two configuration files: /etc/fail2ban/fail2ban.conf и /etc/fail2ban/jail.conf. Ban restrictions are specified in the second file.
Jail for SSH is enabled by default with default settings (5 attempts, interval 10 minutes, ban for 10 minutes).
[DEFAULT] ignorecommand=bantime=10m findtime=10m maxretry=5
In addition to SSH, Fail2Ban can protect other services on the nginx or Apache web server.
Automatic security updates
As you know, new vulnerabilities are constantly found in all programs. After the information is published, exploits are added to popular exploit packs, which are massively used by hackers and teenagers when scanning all servers in a row. Therefore, it is very important to install security updates as soon as they appear.
On the Ubuntu server, automatic security updates are enabled by default, so no further action is required.
On CentOS/Red Hat you need to install the application and turn on the timer:
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerTimer check:
sudo systemctl status dnf-automatic.timer
Changing the default ports
SSH was developed in 1995 to replace telnet (port 23) and ftp (port 21), so the author of the program, Tatu Iltonen , and has been approved by IANA.
Naturally, all attackers are aware of which port SSH is running on - and scan it along with the rest of the standard ports to find out the software version, to check standard root passwords, and so on.
Changing standard ports - obfuscation - several times reduces the amount of garbage traffic, the size of the logs and the load on the server, and also reduces the attack surface. Although some (security through obscurity). The reason is that this technique is opposed to the fundamental . Therefore, for example, the US National Institute of Standards and Technology in indicates the need for an open server architecture: “The security of a system should not rely on the secrecy of the implementation of its components,” the document says.
Theoretically, changing the default ports is against the practice of open architecture. But in practice, the amount of malicious traffic is actually reduced, so this is a simple and effective measure.
The port number can be configured by changing the directive Port 22 in the config file . It is also indicated by the parameter -p <port> в . SSH client and programs also support the option -p <port>.
Parameter -p <port> can be used to specify the port number when connecting with the command ssh in linux. IN и scp parameter is used -P <port> (capital P). Command line instruction overrides any value in configuration files.
If there are many servers, almost all of these actions to protect the Linux server can be automated in a script. But if there is only one server, then it is better to manually control the process.
As advertising
Order and get started right away! any configuration and with any operating system within a minute. The maximum configuration will allow you to come off to the fullest - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Epic 🙂
Source: habr.com