meta data for this page
Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
digital:server:firstthings [2018/10/22 21:10] natrius [restart sshd] |
digital:server:firstthings [2018/12/04 10:53] natrius |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | # First things to do |
- | First step after installing a new server. | + | |
- | * https:// | + | |
- | * https:// | + | |
- | * https:// | + | |
- | ===== New user ==== | + | Content moved to [[digital:server:hardening|Server Hardening]] |
- | + | ||
- | Create new User | + | |
- | adduser sammy | + | |
- | + | ||
- | Give sudo-rights | + | |
- | usermod -aG sudo sammy | + | |
- | + | ||
- | Generate SSH key | + | |
- | ssh-keygen | + | |
- | + | ||
- | Copy the public key to server | + | |
- | ssh-copy-id sammy@your_server_ip | + | |
- | + | ||
- | ===== test login ===== | + | |
- | ssh sammy@serverip -p PORT | + | |
- | + | ||
- | ===== Configure SSH ===== | + | |
- | ### disable root login | + | |
- | sudo nano / | + | |
- | + | ||
- | PermitRootLogin no | + | |
- | + | ||
- | ### disable password login | + | |
- | ChallengeResponseAuthentication no | + | |
- | + | ||
- | ### change SSH Port | + | |
- | + | ||
- | ### restart sshd | + | |
- | sudo systemctl restart sshd | + | |
- | + | ||
- | ===== update ===== | + | |
- | sudo apt update && sudo apt upgrade | + | |
- | + | ||
- | ===== UFW ===== | + | |
- | Install und enable UFW and allow only SSH default (or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes), Disable all outbound traffic except for port 80. (Because paranoia). (allow out and incoming port 443, 80 and 22) | + | |
- | + | ||
- | ufw allow APPLICATION | + | |
- | ufw enable | + | |
- | ufw disable | + | |
- | ufw status | + | |
- | + | ||
- | Wichtige erste Ports zur Benutzung | + | |
- | ufw allow ssh | + | |
- | ufw allow http | + | |
- | ufw allow https | + | |
- | ===== fail2ban ===== | + | |
- | sudo apt install fail2ban | + | |
- | + | ||
- | sudo cp / | + | |
- | + | ||
- | + | ||
- | and configure (1 short-lock for 24 hours, one for 1 week block) | + | |
- | https:// | + | |
- | https:// | + | |
- | + | ||
- | sudo nano / | + | |
- | + | ||
- | < | + | |
- | # | + | |
- | # JAILS | + | |
- | # | + | |
- | + | ||
- | # | + | |
- | # SSH servers | + | |
- | # | + | |
- | + | ||
- | [sshd] | + | |
- | + | ||
- | # To use more aggressive sshd modes set filter parameter " | + | |
- | # normal (default), ddos, extra or aggressive (combines all). | + | |
- | # See " | + | |
- | mode = normal | + | |
- | port = ssh | + | |
- | logpath = %(sshd_log)s | + | |
- | backend = %(sshd_backend)s | + | |
- | # input by stefan | + | |
- | # one day | + | |
- | findtime = 5400 ;1.5 hours | + | |
- | maxretry = 5 | + | |
- | bantime = 86400 ;1 day | + | |
- | + | ||
- | # input by stefan, longterm ban | + | |
- | # 30 attempts over 3 days result in a 1 week ban | + | |
- | [sshlongterm2] | + | |
- | port = ssh | + | |
- | logpath | + | |
- | banaction = iptables-multiport | + | |
- | findtime | + | |
- | maxretry | + | |
- | bantime | + | |
- | enabled | + | |
- | filter | + | |
- | + | ||
- | [sshlongterm3] | + | |
- | enabled = true | + | |
- | filter = sshd | + | |
- | findtime = 15552000 ;6 months | + | |
- | maxretry = 15 | + | |
- | bantime = 2592000 ;1 month | + | |
- | logpath | + | |
- | banaction = iptables-multiport | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | Kontrolle mit tail | + | |
- | tail -10f / | + | |
- | + | ||
- | ===== _BREAKTIME_ ===== | + | |
- | + | ||
- | ===== Tools ===== | + | |
- | install tools (vim, tmux, htop, nmap, sysstat) | + | |
- | + | ||
- | ===== Mailserver ===== | + | |
- | install and configure mailserver (postfix mit s-nail?) | + | |
- | + | ||
- | ===== Unattended Upgrades ===== | + | |
- | change later to " | + | |
- | + | ||
- | ===== Logrotate ===== | + | |
- | Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/ | + | |
- | + | ||
- | ===== Logwatch ===== | + | |
- | daily mail set up | + | |
- | + | ||
- | ===== Time-Related ===== | + | |
- | Configure time-related stuff (tzdata, install ntp, setting the time zone to UTC) | + | |
- | + | ||
- | ===== Disable unrequired services ===== | + | |
- | disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces | + | |
- | + | ||
- | ===== Check this ===== | + | |
- | * chef bootstrap (?) | + | |
- | * zsh (instead of bash), glances, rsync, | + | |
- | * Install most of the debug tools I've used in my life, just in case (lsof, gdb, iotop, slurm, strace) | + | |
- | * Enable Byobu - https:// | + | |
- | * install etckeeper (etckeeper init, etckeeper commit -m initial) | + | |
- | * Webserver: letsencrypt | + | |
- | * vnstat | + | |
- | * install linuxbrew | + | |
- | * install git | + | |
- | * checkout my dot files from git | + | |
- | * install sudo and sudo-pam-auth. Configure it to work wi h ssh keys | + | |
- | * Learn Ansible? (install python-minimal for ansible) | + |