This is an old revision of the document!
Table of Contents
Systems - Secure Server
ssh into server
ssh root@192.168.1.x
Update
apt update apt dist-upgrade
Allow auto updates
apt install unattended-upgrades dpkg-reconfigure --priority-low unattended-upgrades
NOTE: Select Yes.
Add a non-root user
adduser peter
Add non-root user to sudo group
usermod -aG sudo peter
Logout of root account
logout
Login with non-root account
Login using the peter user account.
Stop using passwords
Create authentication pair key
NOTE:
- public key: Like a padlock.
- private key: Like a key.
mkdir ~/.ssh && chmod 700 ~/.ssh
Logout
logout
Create public & private key in separate PC
ssh-keygen -b 4096
NOTE: The 4096 is the Size. Bigger is better!
- No passphrase.
- Press enter.
- Press enter.
Check the Key
cd .ssh ls
NOTE: This should display some files:
- id_rsa: Private key.
- id_rsa.pub: Public key.
Upload public key to server
#scp ~./ssh/id_rsa.pub peter@192.168.1.x:~/.ssh/authorized_keys ssh-copy-id peter@192.168.1.x
NOTE: This will create an authorized_keys file in .ssh on the server.
Test logging into the Server
Try to log into server.
NOTE: This should allow access without asking for a password.
- It is using the keys.
Lockdown usage of passwords
Passwords still work.
To stop this:
ssh peter@192.168.1.x sudo vi /etc/ssh/sshd_config
NOTE: Make the following changes:
- Port - change from 22 to 717
- AddressFamily inet - change to only allow ipv4.
- PermitRootLogin - change to no
- PasswordAuthentication yes - change to no
</code>
Restart ssh service
sudo systemctl restart sshd
Test
Do not log out.
Open a new terminal window
ssh peter@192.168.1.x
NOTE: This should not work.
ssh peter@192.168.1.x -p 717
NOTE: This should work, as port was changed in config file.
Firewall
Check ports
sudo ss -tulpn
Install UFW
sudo apt install ufw sudo ufw status
Allow SSH Access
sudo ufw allow 717 sudo ufw status
Enable Firewall
sudo ufw enable
NOTE: Press y. </WRAP> —- ==== Check Firewall Status ==== <code bash> sudo ufw status </code> —- ==== Test that the firewall allows access ==== Open a new terminal window <code bash> ssh peter@192.168.1.x -p 717 </code>
NOTE: This should work.
—- ==== Allow other Firewall ports ==== <code bash> sudo ufw allow 80/tcp </code> —- ==== Stop Pings ==== <code bash> sudo vi /etc/ufw/before.rules </code> Add a new line above this: <file bash /etc/ufw/before.rules> →ok icmp codes for input </file> <code bash> ufw-before-input -p icmp –icmp-type echo-request -j DROP </code> <code bash> sudo ufw reload </code> —- ===== Reboot ===== <code bash> sudo reboot </code> NOTE:** Test pinging the machine.