Setup & Harden a Linux Server

2024-12-22

ssh in to the box …

ssh root@192.0.0.1

system updates …

Debian based systems

apt update && apt upgrade

Fedora

sudo dnf upgrade

you are probably going to want a decent editor

## fedora ##
dnf install -y neovim
# or
dnf install -y helix

## debian based ##
sudo apt install -y neovim
# or
add-apt-repository ppa:maveonair/helix-editor
apt update
apt install -y helix

set hosts

edit `/etc/hostname` or

hostnamectl set-hostname my-host-name

edit /etc/hosts with public IP and FQDN (fully qualified domain name)

for IPv4:

127.0.0.1	localhost.localdomain localhost
203.0.113.10	example-hostname.example.com example-hostname

and IPv6:

127.0.0.1	localhost.localdomain localhost
203.0.113.10	example-hostname.example.com example-hostname
2600:3c01::a123:b456:c789:d012	example-hostname.example.com example-hostname

add a limited user account

useradd example_user
passwd example_user
usermod --append --groups wheel,sudo example_user

get rid of annoying password requests for sudo

export VISUAL=nvim
# or export VISUAL=hx
# ...
visudo

or edit /etc/sudoers but be careful you can f**k your access if you make a syntax error and have to nuke the box

add:

%wheel ALL = (ALL) NOPASSWD:ALL

logout/login as new user

exit

and then

ssh example_user@example-hostname.example.com

Harden SSH access

grant access to new limited user

if you don't have an ssh key, generate one on local machine run:

ssh-keygen -t ed25519 -C "user@domain.tld"

then on compute instance:

mkdir -p /home/USERNAME/.ssh

upload your ssh key - from your local system run

Linux:

ssh-copy-id example_user@192.0.2.17

macOS:

install ssh-copy-id from homebrew then as above, or:

scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:/home/USERNAME/.ssh/authorized_keys

Windows:

scp C:\Users\MyUserName\.ssh/id_rsa.pub example_user@192.0.2.17:~/.ssh/authorized_keys

check permissions on ssh directory:

chmod -R 700 /home/USERNAME/.ssh/

disallow root login via ssh

file /etc/ssh/sshd_config

# Authentication:
...
PermitRootLogin no

disable password authentication

same /etc/ssh/sshd_config file:

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

restart ssh daemon

systemctl restart ssh
# could be sshd on older systems
# on non-systemd, use: service sshd restart

fail2ban

ban IP addresses that make repeated failed authentication requests

apt install -y fail2ban
# fedora:
dnf install -y fail2ban

configure it

.local files will override the default .conf files provided

cd /etc/fail2ban
cp fail2ban.conf fail2ban.local
cp jail.conf jail.local

jail.local: in CentOS or Fedora need to change backend from auto to systemd

backend = systemd

enable it

systemctl enable --now fail2ban

firewall

apt install -y ufw

CLI config

ufw allow ssh
ufw allow 22
ufw deny 25
ufw allow 80/tcp
ufw allow http/tcp
ufw allow 443/tcp
ufw allow https/tcp

more config

To allow connections from an IP address:

sudo ufw allow from 198.51.100.0

To allow connections from a specific subnet:

sudo ufw allow from 198.51.100.0/24

To allow a specific IP address/port combination:

sudo ufw allow from 198.51.100.0 to any port 22 proto tcp

proto tcp can be removed or switched to proto udp depending upon your needs, and all instances of allow can be changed to deny as needed.

Although simple rules can be added through the command line, there may be a time when more advanced or specific rules need to be added or removed. Prior to running the rules input through the terminal, UFW will run a file, before.rules, that allows loopback, ping, and DHCP. To add to alter these rules edit the /etc/ufw/before.rules file. A before6.rules file is also located in the same directory for IPv6.

An after.rule and an after6.rule file also exists to add any rules that would need to be added after UFW runs your command-line-added rules.

An additional configuration file is located at /etc/default/ufw. From here IPv6 can be disabled or enabled, default rules can be set, and UFW can be set to manage built-in firewall chains.

enable

ufw enable

intrusion detection - OSSEC

Linode OSSEC guide

Remove unused network-facing services

determine running services

sudo ss -atpu

where

-a: all listening and non-listening
-t: TCP sockets
-p: show processes
-u: UDP sockets