Hardening your server

Published on: 4th Feb 2021

Updated on: 23th Sep 2022

Why

If your server is public facing (i.e., accessible through the public Internet), then, you will have to follow the checklist below. Basically, it disables all the old and weak features to prevent anyone from exploiting the vulnerabilities.

Here's how you do it

• Run the test against your web server that has sshd enabled. The result will recommend disabling the weak algorithms.

  https://sshcheck.com/

• Since our Ubuntu server is accessible from the Internet, we cannot avoid being attacked. There are a few ways to deal with this critical issue,

  • Disable root account and avoid using any other common account such as "pi", "user", "guest", etc.
  • Use a longer complex password.
  • Change the SSH port.
  • Using an SSH key.

• Among all the above, the SSH key is the safest way to secure your SSH but it's not impossible to crack. Please follow the steps below to enable the SSH key method.

  1. In Windows, we are using the PuTTYGen program (that comes with the installation of PuTTY). To generate the SSH key and below is the output (the file name is for illustration purposes but the file extension should be the same).

     • my-local-linux.ppk - this file was generated with the PuTTYGen program ("save private key"). Best is to use "key passphrase" to encrypt the file and the passphrase is required upon accessing the remote server.

     • my-local-linux.pub - this is the public key and the contents in this file to be copied to the remote server.

  2. Copy the SSH public key (from the PUB file created above) to remote server,

     cd ~
     sudo mkdir .ssh
     sudo nano .ssh/authorized_keys
     (paste the public key and save the file)
     
     # make sure the file is accessible with the user ID (replace "yourID" with the user ID).
     sudo chown -R yourID:yourID .ssh/authorized_keys
     

  3. Edit the /etc/ssh/sshd_config file

     sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.1
     sudo nano /etc/ssh/sshd_config
     

  4. In the config file, change the following settings.

     # disable the password auth method in the config file-only ssh key will be recognise
     PasswordAuthentication no
     

     18.Sep.2022: for more information about PasswordAuthentication, please refers to the following article,

     https://superuser.com/questions/161609/can-someone-explain-the-passwordauthentication-in-the-etc-ssh-sshd-config-fil

     NOTES: set this to YES if you allow the user from uploading/downloading files using FTP. Setting this value to NO will disable the FTP access.

  5. Finally, restart the service

     sudo systemctl restart sshd
     

• 4th Feb 2021 - I have experimented with changing the SSH port to a number other than 22 (i.e., the default port). As a result, no more attack attempts on SSH. In fact, it is better to have fail2ban to defend your server and also use an SSH key which makes it harder to break in.

References

• For full hardening reference, please read the following page: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-18-04

• Using SSH key instead of password: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-1804

• Use SSH Keys with PuTTY on Windows: https://devops.ionos.com/tutorials/use-ssh-keys-with-putty-on-windows/#use-existing-public-and-private-keys

• How To Set Up Multi-Factor Authentication for SSH on Ubuntu: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04

• Updated on 6th Sep 2023. Mitigating DDoS Attacks with NGINX and NGINX Plus: https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

• Updated on 6th Sep 2023. Preventing Linux DDoS Attacks with Minimal Cybersecurity Knowledge: https://linuxsecurity.com/features/preventing-linux-ddos-attacks

Related posts

• Configure firewall
• Install and configure fail2ban

Jump to #UBUNTU blog

Author

Lau Hon Wan, software developer.