Securing a Linux Server
Deploying a new Droplet on Digital Ocean is pretty straight forward. At the moment I'm playing around with their cheap $5 option with Debian as the OS. While it's easy to deploy, it takes some work to ensure you maintain a secure server.
I'll go over some of the steps I take to boost security up front before and after it starts up.
- SSH login: root
Before anything else we can ensure root is only accessible via SSH. We'll only need this until we are able to create our own user who will also be only accessible via SSH. If you haven't added your keys before you can add them now or select from the ones you have available.
Once the server spins up you should be able to login using:
2. New User
Now that you are login in you don't want to continue using root as the default user. Not only is it bad practice to do so but we instantly create a good habit of having to use
sudo when a command needs elevated privleges.
To create a new user with no password and avoiding extra prompts we can run:
adduser --disabled-password --gecos 'UserName' username
Next we want to give this user sudo permissions by adding them to the sudo group:
usermod -a -G sudo username
Since we disabled password logins for this user when we created them we also need to add our ssh keys to the list of authorized keys for this user.
This means creating an
.ssh folder for the user and copying keys we authorized for root access.
mkdir /home/username/.ssh cp /root/.ssh/authorized_keys /home/username/.ssh/authorized_keys
At this point you will now have a new sudo user that you can ssh into remotely using your key rather than a password. However, if you try to run sudo now with this user, you will be prompted for a password. Remember we disabled the password for the user so now we need to allow this user to issue sudo commands without any password.
We do that by editing the
/etc/sudoers file with the
visudo command. The reason for using visudo is because it can check the syntax of the file before any edits are saved. Once you have that file open with
visudo you can add you newley created user to the bottome of the file with the following rules:
username ALL=(ALL) NOPASSWD:ALL
3. Secure SSH logins
Now we have to accounts that we can login to remotely using ssh and our keys rather than passwords. The second account we created is also able to use sudo so there is little reason to leave the root account accessible remotely. This means I want to disable root as a login option via SSH. I'll still have access to it via the new user account I created it but at least it's somewhat hidden now.
To do this I'll edit the
/etc/ssh/sshd_config file using vim to set the following options:
PasswordAuthentication no PermitRootLogin no
I'll also restrict SSH to IPv4:
After the above two changes you will be unable to log into root using:
Instead you can ssh into you new user and then switch to root (only if need) from there like so:
ssh username@<droplet-ip> sudo su -
4. Install Updates
Now that we have our first non-root user set up we can go ahead and update and install any other software such as firewalls to help secure our server further.
sudo apt update && sudo apt upgrade -y
5. Install Firewall
sudo apt install ufw sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable sudo ufw status
6. Install Fail2Ban
This allows you to detect automated attacks in order to avoid things like DDOS. This is accomplished by blocking an attacker's IP with our firewall.
sudo apt install fail2ban -y sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo service fail2ban restart
If you ever want to see the list of banned IP address you can issue the following command:
sudo fail2ban-client status ssh