meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
digital:server:firstthings [2018/10/21 20:53]
natrius [UFW] 		digital:server:firstthings [2018/11/16 13:10]
natrius [Check this]
Line 1: Line 1:
-====== First things to do ====== +First things to do
-First step after installing a new server. +
-  * https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04 +
-  * https://www.thomas-krenn.com/de/wiki/Absicherung_eines_Debian_Servers +
-  * https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern+
  
-===== New user ====+First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards. 
 + 
 +## New user
  
 Create new User Create new User
 +
     adduser sammy     adduser sammy
  
 Give sudo-rights Give sudo-rights
 +
     usermod -aG sudo sammy     usermod -aG sudo sammy
  
 Generate SSH key Generate SSH key
 +
     ssh-keygen     ssh-keygen
  
 Copy the public key to server Copy the public key to server
 +
     ssh-copy-id sammy@your_server_ip     ssh-copy-id sammy@your_server_ip
  
-===== test login =====+## test login 
     ssh sammy@serverip -p PORT     ssh sammy@serverip -p PORT
  
-===== Configure SSH ===== +## Configure SSH 
-### disable root login+ 
 +### Disable root login 
     sudo nano /etc/ssh/sshd_config     sudo nano /etc/ssh/sshd_config
  
-    PermitRootLogin no+''PermitRootLogin no''
  
-### disable password login +### Disable password login 
-    ChallengeResponseAuthentication no+ 
 +    sudo nano /etc/ssh/sshd_config 
 + 
 +''ChallengeResponseAuthentication no''
  
 ### change SSH Port ### change SSH Port
 +
 +It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reach your ssh-port but is not really something to secure the server. Just to keep your log files clear.
  
 ### restart sshd ### restart sshd
-    service ssh restart 
-or 
-    systemctl restart sshd 
  
-===== update ===== +    sudo systemctl restart sshd
-      sudo apt update && sudo apt upgrade+
  
-===== UFW ===== +## fail2ban
-Install und enable UFW and allow only SSH default (or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes), Disable all outbound traffic except for port 80. (Because paranoia). (allow out and incoming port 443, 80 and 22)+
  
-    ufw allow APPLICATION +<code>sudo apt install fail2ban</code>
-    ufw enable +
-    ufw disable +
-    ufw status+
  
-Wichtige erste Ports zur Benutzung +<code>sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</code>
-    ufw allow ssh +
-    ufw allow http +
-    ufw allow https +
-===== fail2ban ===== +
-    sudo apt install fail2ban+
  
-    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local+and configure (1 short-lock for 24 hours, one for 1 week block)
  
 +  * https://www.booleanworld.com/protecting-ssh-fail2ban/
 +  * https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
  
-and configure (1 short-lock for 24 hours, one for 1 week block) 
-https://www.booleanworld.com/protecting-ssh-fail2ban/   
-https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/ 
  
-    sudo nano /etc/fail2ban/jail.local +<code>sudo nano /etc/fail2ban/jail.local</code> 
-    +
 <code> <code>
 # #
Line 109: Line 105:
 logpath   = %(sshd_log)s logpath   = %(sshd_log)s
 banaction = iptables-multiport banaction = iptables-multiport
- 
 </code> </code>
  
 Kontrolle mit tail Kontrolle mit tail
 +
     tail -10f /var/log/fail2ban.log     tail -10f /var/log/fail2ban.log
  
-===== _BREAKTIME_ =====+## update
  
-===== Tools ===== +    sudo apt update && sudo apt upgrade
-install tools (vim, tmux, htop, nmap, sysstat)+
  
-===== Mailserver ===== +## UFW 
-install and configure mailserver (postfix mit s-nail?)+  - https://linuxconfig.org/how-to-deny-all-incoming-ports-except-http-port-80-and-https-port-443-on-ubuntu-18-04-bionic-beaver-linux
  
-===== Unattended Upgrades ===== +Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too. 
-change later to "justOnError" in /etc/apt/apt.conf.d/50unattended-upgrades (multiple recipients separated with a komma)+ 
 +Important commands for UFW 
 + 
 +    ufw allow APPLICATION 
 +    ufw enable 
 +    ufw disable 
 +    ufw status 
 + 
 +Important ports for the first use 
 + 
 +    ufw allow ssh 
 +    ufw allow http 
 +    ufw allow https 
 + 
 +## _BREAKTIME_ 
 + 
 +Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security.  
 + 
 +--- 
 + 
 +## Tools 
 + 
 +Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools) 
 + 
 +## Mailserver 
 + 
 +Install and configure mailserver (postfix with s-nail?) for automated messages from unattended upgrades or from other services. 
 + 
 +## Unattended Upgrades 
 + 
 +Automatically just updates security-relevant updates. Can also update all updates, if you want. Can also send autmated messages if a mailserver is installed. A sugestion is to send on every update at first and change the setting later to "justOnError" in /etc/apt/apt.conf.d/50unattended-upgrades (multiple recipients separated with a komma) 
 + 
 +## Logrotate 
 + 
 +Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup) https://linoxide.com/linux-how-to/setup-log-rotation-logrotate-ubuntu/ 
 + 
 +## Logwatch
  
-===== Logrotate ===== 
-Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup) 
  
-===== Logwatch ===== 
 daily mail set up daily mail set up
  
-===== Time-Related =====+## Time-Related 
 Configure time-related stuff (tzdata, install ntp, setting the time zone to UTC) Configure time-related stuff (tzdata, install ntp, setting the time zone to UTC)
  
-===== Disable unrequired services ===== +## Disable unrequired services
-disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces+
  
-===== Check this ===== +Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors. 
-  * chef bootstrap (?) + 
-  * zsh (instead of bash), glances, rsync, +## Check this 
-  * Install most of the debug tools I've used in my life, just in case (lsof, gdb, iotop, slurm, strace)+ 
 +  * zsh (instead of bash), glances, rsync 
 +  * Install debug tools, just in case (lsof, gdb, iotop, slurm, strace)
   * Enable Byobu - https://www.digitalocean.com/community/tutorials/how-to-install-and-use-byobu-for-terminal-management-on-ubuntu-16-04   * Enable Byobu - https://www.digitalocean.com/community/tutorials/how-to-install-and-use-byobu-for-terminal-management-on-ubuntu-16-04
   * install etckeeper (etckeeper init, etckeeper commit -m initial)   * install etckeeper (etckeeper init, etckeeper commit -m initial)
-  * Webserver: letsencrypt 
   * vnstat   * vnstat
   * install linuxbrew   * install linuxbrew
-  * install git +  * install git and checkout the dot files from git
-  * checkout my dot files from git +
-  * install sudo and sudo-pam-auth. Configure it to work wi h ssh keys+
   * Learn Ansible? (install python-minimal for ansible)   * Learn Ansible? (install python-minimal for ansible)
 +  * chef bootstrap (?)