meta data for this page
Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
digital:server:firstthings [2018/11/16 13:10] natrius [Check this] |
digital:server:firstthings [2018/12/04 10:53] natrius |
||
---|---|---|---|
Line 1: | Line 1: | ||
# First things to do | # First things to do | ||
- | First steps after installing a new server | + | Content moved to [[digital:server:hardening|Server Hardening]] |
- | + | ||
- | ## New user | + | |
- | + | ||
- | Create new User | + | |
- | + | ||
- | adduser sammy | + | |
- | + | ||
- | Give sudo-rights | + | |
- | + | ||
- | usermod -aG sudo sammy | + | |
- | + | ||
- | Generate SSH key | + | |
- | + | ||
- | ssh-keygen | + | |
- | + | ||
- | Copy the public key to server | + | |
- | + | ||
- | ssh-copy-id sammy@your_server_ip | + | |
- | + | ||
- | ## test login | + | |
- | + | ||
- | ssh sammy@serverip -p PORT | + | |
- | + | ||
- | ## Configure SSH | + | |
- | + | ||
- | ### Disable root login | + | |
- | + | ||
- | sudo nano / | + | |
- | + | ||
- | '' | + | |
- | + | ||
- | ### Disable password login | + | |
- | + | ||
- | sudo nano / | + | |
- | + | ||
- | '' | + | |
- | + | ||
- | ### change SSH Port | + | |
- | + | ||
- | It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reach your ssh-port but is not really something to secure the server. Just to keep your log files clear. | + | |
- | + | ||
- | ### restart sshd | + | |
- | + | ||
- | sudo systemctl restart sshd | + | |
- | + | ||
- | ## fail2ban | + | |
- | + | ||
- | < | + | |
- | + | ||
- | < | + | |
- | + | ||
- | and configure (1 short-lock for 24 hours, one for 1 week block) | + | |
- | + | ||
- | * https:// | + | |
- | * https:// | + | |
- | + | ||
- | + | ||
- | < | + | |
- | + | ||
- | < | + | |
- | # | + | |
- | # JAILS | + | |
- | # | + | |
- | + | ||
- | # | + | |
- | # SSH servers | + | |
- | # | + | |
- | + | ||
- | [sshd] | + | |
- | + | ||
- | # To use more aggressive sshd modes set filter parameter " | + | |
- | # normal (default), ddos, extra or aggressive (combines all). | + | |
- | # See " | + | |
- | mode = normal | + | |
- | port = ssh | + | |
- | logpath = %(sshd_log)s | + | |
- | backend = %(sshd_backend)s | + | |
- | # input by stefan | + | |
- | # one day | + | |
- | findtime = 5400 ;1.5 hours | + | |
- | maxretry = 5 | + | |
- | bantime = 86400 ;1 day | + | |
- | + | ||
- | # input by stefan, longterm ban | + | |
- | # 30 attempts over 3 days result in a 1 week ban | + | |
- | [sshlongterm2] | + | |
- | port = ssh | + | |
- | logpath | + | |
- | banaction = iptables-multiport | + | |
- | findtime | + | |
- | maxretry | + | |
- | bantime | + | |
- | enabled | + | |
- | filter | + | |
- | + | ||
- | [sshlongterm3] | + | |
- | enabled = true | + | |
- | filter = sshd | + | |
- | findtime = 15552000 ;6 months | + | |
- | maxretry = 15 | + | |
- | bantime = 2592000 ;1 month | + | |
- | logpath | + | |
- | banaction = iptables-multiport | + | |
- | </ | + | |
- | + | ||
- | Kontrolle mit tail | + | |
- | + | ||
- | tail -10f / | + | |
- | + | ||
- | ## update | + | |
- | + | ||
- | sudo apt update && sudo apt upgrade | + | |
- | + | ||
- | ## UFW | + | |
- | - https:// | + | |
- | + | ||
- | Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too. | + | |
- | + | ||
- | Important commands for UFW | + | |
- | + | ||
- | ufw allow APPLICATION | + | |
- | ufw enable | + | |
- | ufw disable | + | |
- | ufw status | + | |
- | + | ||
- | Important ports for the first use | + | |
- | + | ||
- | ufw allow ssh | + | |
- | ufw allow http | + | |
- | ufw allow https | + | |
- | + | ||
- | ## _BREAKTIME_ | + | |
- | + | ||
- | Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server | + | |
- | + | ||
- | --- | + | |
- | + | ||
- | ## Tools | + | |
- | + | ||
- | Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools) | + | |
- | + | ||
- | ## Mailserver | + | |
- | + | ||
- | Install and configure mailserver (postfix with s-nail?) for automated messages from unattended upgrades or from other services. | + | |
- | + | ||
- | ## Unattended Upgrades | + | |
- | + | ||
- | Automatically just updates security-relevant updates. Can also update all updates, if you want. Can also send autmated messages if a mailserver is installed. A sugestion is to send on every update at first and change the setting later to " | + | |
- | + | ||
- | ## Logrotate | + | |
- | + | ||
- | Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/ | + | |
- | + | ||
- | ## Logwatch | + | |
- | + | ||
- | + | ||
- | daily mail set up | + | |
- | + | ||
- | ## Time-Related | + | |
- | + | ||
- | Configure time-related stuff (tzdata, install ntp, setting the time zone to UTC) | + | |
- | + | ||
- | ## Disable unrequired services | + | |
- | + | ||
- | Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors. | + | |
- | + | ||
- | ## Check this | + | |
- | + | ||
- | * zsh (instead of bash), glances, rsync | + | |
- | * Install debug tools, just in case (lsof, gdb, iotop, slurm, strace) | + | |
- | * Enable Byobu - https:// | + | |
- | * install etckeeper (etckeeper init, etckeeper commit -m initial) | + | |
- | * vnstat | + | |
- | * install linuxbrew | + | |
- | * install git and checkout the dot files from git | + | |
- | * Learn Ansible? (install python-minimal for ansible) | + | |
- | * chef bootstrap (?) | + |