Jul 11, 2018 - Protect your server

Comments

First things to do after ssh’ing into a fresh system

For simplicity I just assume a Debian system.

Update the system

apt-get update 
apt-get upgrade

I usually also make sure ‘vim’ is installed: apt-get install vim

Create user

adduser

I’ll refer to that user later as [user].

Generate/upload SSH public key

Generate an SSH key pair on your local machine, if you don’t already have one.

ssh-keygen

Then copy the public key to the server:

ssh-copy-id [user]@[host]

Restrict SSH access

/etc/ssh/sshd_config

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 2

# only allow this user to connect
AllowUsers [user]

# only allow public key auth
PubkeyAuthentication yes
PasswordAuthentication no

Setup a firewall

Using ‘ufw’ (easier)

apt-get install ufw

ufw default deny incoming
ufw allow ssh

ufw enable

Using ‘iptables’ directly (bit more complex)

Create file ‘/etc/iptables_rules’ with following content

# Generated by iptables-save v1.6.1
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [91:8576]
:SSHATTACK - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 600 --hitcount 3 --name SSH --mask 255.255.255.255 --rsource -j SSHATTACK
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A SSHATTACK -j LOG --log-prefix "[iptables] SSH attack" --log-level 3
-A SSHATTACK -j DROP
COMMIT

This will also log (/var/log/syslog) brute force attacks on the SSH port, and block an attacker for 600 seconds after 3 failed login attempts.

Apply the firewall rules: iptables-restore /etc/iptables_rules

Enable /etc/rc.local functionality again and load iptables rules on reboot

Create /etc/rc.local

#!/bin/sh -e

iptables-restore /etc/iptables_rules

exit 0

systemctl start rc-local