This is an old revision of the document!
Table of Contents
Systems - Secure Server
ssh into server
ssh root@192.168.1.x
Update
apt update apt dist-upgrade
Allow auto updates
apt install unattended-upgrades dpkg-reconfigure --priority-low unattended-upgrades
NOTE: Select Yes.
Add a non-root user
adduser peter
Add non-root user to sudo group
usermod -aG sudo peter
Logout of root account
logout
Login with non-root account
Login using the peter user.
Stop using passwords
Create authentication pair key
NOTE:
- public key: Like a padlock.
- private key: Like a key.
mkdir ~/.ssh && chmod 700 ~/.ssh
logout
Create public & private key in separate PC.
ssh-keygen -b 4096
NOTE: The 4096 is the Size. Bigger is better!
- No passphrase.
- enter
- enter
Check the Key
cd .ssh ls
NOTE: * id_rsa: Private key. * id_rsa.pub: Public key. </WRAP> —- ==== Upload public key to server ==== <code bash> #scp ~./ssh/id_rsa.pub peter@192.168.1.x:~/.ssh/authorized_keys ssh-copy-id peter@192.168.1.x </code>
NOTE: This will create a authorized_keys file in .ssh on the server.
—- ==== Test logging into the Server ==== Try to log into server. * Should allow without asking for a password. * It is using the keys. —- ==== Lockdown usage of passwords ==== Passwords still work. To stop this: <code bash> ssh peter@192.168.1.x sudo vi /etc/ssh/sshd_config Port - change from 22 to 717 AddressFamily inet - change to only allow ipv4. PermitRootLogin - change to no PasswordAuthentication yes - change to no </code> —- ==== Restart ssh service ==== <code bash> sudo systemctl restart sshd </code> ==== Test ==== Do not log out. Open a new terminal window <code bash> ssh peter@192.168.1.x </code>
NOTE: This should not work.
<code bash> ssh peter@192.168.1.x -p 717 <code bash>
NOTE: This should work, as port was changed in config file.
—- ===== Firewall ===== ==== Check ports ==== <code bash> sudo ss -tulpn </code> —- ==== Install UFW ==== <code bash> sudo apt install ufw sudo ufw status </code> —- ==== Allow SSH Access ==== <code bash> sudo ufw allow 717 sudo ufw status </code> —- ==== Enable Firewall ==== <code bash> sudo ufw enable </code>
NOTE: Press y. </WRAP> —- ==== Check Firewall Status ==== <code bash> sudo ufw status </code> —- ==== Test that the firewall allows access ==== Open a new terminal window <code bash> ssh peter@192.168.1.x -p 717 </code>
NOTE: This should work.
—- ==== Allow other Firewall ports ==== <code bash> sudo ufw allow 80/tcp </code> —- ==== Stop Pings ==== <code bash> sudo vi /etc/ufw/before.rules </code> Add a new line above this: <file bash /etc/ufw/before.rules> →ok icmp codes for input </file> <code bash> ufw-before-input -p icmp –icmp-type echo-request -j DROP </code> <code bash> sudo ufw reload </code> —- ===== Reboot ===== <code bash> sudo reboot </code> NOTE:** Test pinging the machine.