Nowadays, raising a server on a hosting is a matter of a couple of minutes and a few mouse clicks. But immediately after launch, he finds himself in a hostile environment, because he is open to the entire Internet like an innocent girl in a rocker disco. Scanners will quickly find it and detect thousands of automatically scripted bots that scour the network looking for vulnerabilities and misconfigurations. There are a few things you should do right after launch to ensure basic protection.
The first step is to create a non-root user for yourself. The point is that the user root absolute privileges in the system, and if you allow him remote administration, then you will do half the work for the hacker, leaving a valid username for him.
Therefore, you need to create another user, and disable remote administration via SSH for root.
A new user is started by the command useradd:
useradd [options] <username>
Then a password is added for it with the command passwd:
passwd <username>
Finally, this user needs to be added to a group that has the right to execute elevated commands sudo. Depending on the Linux distribution, these may be different groups. For example, in CentOS and Red Hat, the user is added to the group wheel:
usermod -aG wheel <username>
In Ubuntu it is added to the group sudo:
usermod -aG sudo <username>
Keys instead of SSH passwords
Brute force or password leaks are a standard attack vector, so it's best to disable password authentication in SSH (Secure Shell) and use key authentication instead.
There are various programs for implementing the SSH protocol, such as lsh и dropbear, but the most popular is OpenSSH. Installing the OpenSSH client on Ubuntu:
sudo apt install openssh-client
Server installation:
sudo apt install openssh-server
Starting the SSH daemon (sshd) on the Ubuntu server:
sudo systemctl start sshd
Automatically start the daemon on every boot:
sudo systemctl enable sshd
It should be noted that the server part of OpenSSH includes the client part. That is, through openssh-server you can connect to other servers. Moreover, from your client machine, you can start an SSH tunnel from a remote server to a third-party host, and then the third-party host will consider the remote server as the source of requests. A very handy feature for masking your system. See article for details "Practical Tips, Examples, and SSH Tunnels".
On a client machine, it usually makes no sense to install a full-fledged server in order to prevent the possibility of remote connection to a computer (for security purposes).
So, for your new user, you first need to generate SSH keys on the computer from which you will access the server:
ssh-keygen -t rsa
The public key is stored in a file .pub and looks like a string of random characters that starts with ssh-rsa.
Then, from under root, create an SSH directory on the server in the user's home directory and add the SSH public key to the file authorized_keys, using a text editor like Vim:
On the client side, you need to specify the location of the secret key for authentication:
ssh-add DIR_PATH/keylocation
Now you can log in to the server under the username using this key:
ssh [username]@hostname
After authorization, you can use the scp command to copy files, the utility sshfs to remotely mount a file system or directories.
It is advisable to make several backup copies of the private key, because if you disable password authentication and lose it, then you will not have any way to log into your own server at all.
As mentioned above, in SSH you need to disable authentication for root (this is the reason we started a new user).
On CentOS/Red Hat we find the line PermitRootLogin yes in the config file /etc/ssh/sshd_config and change it:
PermitRootLogin no
On Ubuntu add the line PermitRootLogin no to the config file 10-my-sshd-settings.conf:
After verifying that the new user is authenticating with their key, you can disable password authentication to eliminate the risk of password leakage or brute force. Now, in order to access the server, an attacker will need to get a private key.
On CentOS/Red Hat we find the line PasswordAuthentication yes in the config file /etc/ssh/sshd_config and change it like this:
PasswordAuthentication no
On Ubuntu add the line PasswordAuthentication no to file 10-my-sshd-settings.conf:
For instructions on enabling two-factor authentication via SSH, see here.
firewall
The firewall ensures that only the traffic on the ports that you directly allow will go to the server. This protects against exploitation of ports that are accidentally enabled with other services, which greatly reduces the attack surface.
Before installing a firewall, you need to make sure that SSH is included in the exclusion list and will not be blocked. Otherwise, after starting the firewall, we will not be able to connect to the server.
Ubuntu distribution comes with Uncomplicated Firewall (ufw), and with CentOS/Red Hat - firewalld.
Service Fail2Ban analyzes logs on the server and counts the number of access attempts from each IP address. The settings specify the rules for how many access attempts are allowed for a certain interval - after which this IP address is blocked for a specified period of time. For example, let's allow 5 failed SSH authentication attempts within 2 hours, then block the given IP address for 12 hours.
In addition to SSH, Fail2Ban can protect other services on the nginx or Apache web server.
Automatic security updates
As you know, new vulnerabilities are constantly found in all programs. After the information is published, exploits are added to popular exploit packs, which are massively used by hackers and teenagers when scanning all servers in a row. Therefore, it is very important to install security updates as soon as they appear.
On the Ubuntu server, automatic security updates are enabled by default, so no further action is required.
On CentOS/Red Hat you need to install the application dnf-automatic and turn on the timer:
SSH was developed in 1995 to replace telnet (port 23) and ftp (port 21), so the author of the program, Tatu Iltonen selected port 22 by default, and has been approved by IANA.
Naturally, all attackers are aware of which port SSH is running on - and scan it along with the rest of the standard ports to find out the software version, to check standard root passwords, and so on.
Changing standard ports - obfuscation - several times reduces the amount of garbage traffic, the size of the logs and the load on the server, and also reduces the attack surface. Although some criticize this method of "protection through obscurity" (security through obscurity). The reason is that this technique is opposed to the fundamental architectural protection. Therefore, for example, the US National Institute of Standards and Technology in "Server Security Guide" indicates the need for an open server architecture: “The security of a system should not rely on the secrecy of the implementation of its components,” the document says.
Theoretically, changing the default ports is against the practice of open architecture. But in practice, the amount of malicious traffic is actually reduced, so this is a simple and effective measure.
The port number can be configured by changing the directive Port 22 in the config file / Etc / ssh / sshd_config. It is also indicated by the parameter -p <port> в sshd. SSH client and programs sftp also support the option -p <port>.
Parameter -p <port> can be used to specify the port number when connecting with the command ssh in linux. IN sftp и scp parameter is used -P <port> (capital P). Command line instruction overrides any value in configuration files.
If there are many servers, almost all of these actions to protect the Linux server can be automated in a script. But if there is only one server, then it is better to manually control the process.
As advertising
Order and get started right away! Creation of VDS any configuration and with any operating system within a minute. The maximum configuration will allow you to come off to the fullest - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Epic 🙂