meta data for this page
  •  

**This is an old revision of the document!**

First things to do

First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach BREAKTIME. That should not consume too much time and then you can think about what you want to install afterwards.

New user

Create new User

adduser sammy

Give sudo-rights

usermod -aG sudo sammy

Generate SSH key

ssh-keygen

Copy the public key to server

ssh-copy-id sammy@your_server_ip

test login

ssh sammy@serverip -p PORT

Configure SSH

Disable root login

sudo nano /etc/ssh/sshd_config

PermitRootLogin no

Disable password login

sudo nano /etc/ssh/sshd_config

ChallengeResponseAuthentication no

change SSH Port

It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reach your ssh-port but is not really something to secure the server. Just to keep your log files clear.

restart sshd

sudo systemctl restart sshd

fail2ban

sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and configure (1 short-lock for 24 hours, one for 1 week block)

sudo nano /etc/fail2ban/jail.local
#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode    = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
# input by stefan
# one day
findtime = 5400 ;1.5 hours
maxretry = 5
bantime = 86400 ;1 day

# input by stefan, longterm ban
# 30 attempts over 3 days result in a 1 week ban
[sshlongterm2]
port      = ssh
logpath   = %(sshd_log)s
banaction = iptables-multiport
findtime  = 259200 ;3 days
maxretry  = 10
bantime   = 604800 ;1 week
enabled   = true
filter    = sshd

[sshlongterm3]
enabled = true
filter = sshd
findtime = 15552000 ;6 months
maxretry = 15
bantime = 2592000 ;1 month
logpath   = %(sshd_log)s
banaction = iptables-multiport

Kontrolle mit tail

tail -10f /var/log/fail2ban.log

update

sudo apt update && sudo apt upgrade

UFW

Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too.

Important commands for UFW

ufw allow APPLICATION
ufw enable
ufw disable
ufw status

Important ports for the first use

ufw allow ssh
ufw allow http
ufw allow https

_BREAKTIME_

Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security.


Tools

Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools)

Mailserver

Install and configure mailserver (postfix with s-nail?) for automated messages from unattended upgrades or from other services.

Unattended Upgrades

Automatically just updates security-relevant updates. Can also update all updates, if you want. Can also send autmated messages if a mailserver is installed. A sugestion is to send on every update at first and change the setting later to “justOnError” in /etc/apt/apt.conf.d/50unattended-upgrades (multiple recipients separated with a komma)

Logrotate

Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/backup) https://linoxide.com/linux-how-to/setup-log-rotation-logrotate-ubuntu/

Logwatch

daily mail set up

Configure time-related stuff (tzdata, install ntp, setting the time zone to UTC)

Disable unrequired services

Disable any and all services that are not required for the purpose of the box, bind others to localhost, unless they need to listen on public interfaces. This reduces attack vectors.

Check this