Securing a Linux Server

Securing a Linux Server

Deploying a new Droplet on Digital Ocean is pretty straight forward. At the moment I'm playing around with their cheap $5 option with Debian as the OS. While it's easy to deploy, it takes some work to ensure you maintain a secure server.

I'll go over some of the steps I take to boost security up front before and after it starts up.

  1. SSH login: root

Before anything else we can ensure root is only accessible via SSH. We'll only need this until we are able to create our own user who will also be only accessible via SSH. If you haven't added your keys before you can add them now or select from the ones you have available.

Once the server spins up you should be able to login using:

ssh root@<droplet-IP>

2. New User

Now that you are login in you don't want to continue using root as the default user. Not only is it bad practice to do so but we instantly create a good habit of having to use sudo when a command needs elevated privleges.

To create a new user with no password and avoiding extra prompts we can run:

adduser --disabled-password --gecos 'UserName' username

Next we want to give this user sudo permissions by adding them to the sudo group:

usermod -a -G sudo username

Since we disabled password logins for this user when we created them we also need to add our ssh keys to the list of authorized keys for this user.

This means creating an .ssh folder for the user and copying keys we authorized for root access.

mkdir /home/username/.ssh 
cp /root/.ssh/authorized_keys /home/username/.ssh/authorized_keys

At this point you will now have a new sudo user that you can ssh into remotely using your key rather than a password. However, if you try to run sudo now with this user, you will be prompted for a password. Remember we disabled the password for the user so now we need to allow this user to issue sudo commands without any password.

We do that by editing the /etc/sudoers file with the visudo command. The reason for using visudo is because it can check the syntax of the file before any edits are saved. Once you have that file open with visudo you can add you newley created user to the bottome of the file with the following rules:

username ALL=(ALL) NOPASSWD:ALL

3. Secure SSH logins

Now we have to accounts that we can login to remotely using ssh and our keys rather than passwords. The second account we created is also able to use sudo so there is little reason to leave the root account accessible remotely. This means I want to disable root as a login option via SSH. I'll still have access to it via the new user account I created it but at least it's somewhat hidden now.

To do this I'll edit the /etc/ssh/sshd_config file using vim to set the following options:

PasswordAuthentication no
PermitRootLogin no

I'll also restrict SSH to IPv4:

AddressFamily inet

After the above two changes you will be unable to log into root using:

ssh root@<droplet-ip>

Instead you can ssh into you new user and then switch to root (only if need) from there like so:

ssh username@<droplet-ip>
sudo su -

4. Install Updates

Now that we have our first non-root user set up we can go ahead and update and install any other software such as firewalls to help secure our server further.

sudo apt update && sudo apt upgrade -y

5. Install Firewall

sudo apt install ufw
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

sudo ufw enable
sudo ufw status

6. Install Fail2Ban

This allows you to detect automated attacks in order to avoid things like DDOS. This is accomplished by blocking an attacker's IP with our firewall.

sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo service fail2ban restart

If you ever want to see the list of banned IP address you can issue the following command:

sudo fail2ban-client status ssh