Update/Upgrade
apt update && sudo apt upgrade -y
User
Create
Add new user: adduser NEWUSER
make it sudoer
Add new user to sudoer group:
- Either:
usermod -aG sudo NEWUSER - Either
sudo visudoand add:NEWUSER ALL=(ALL:ALL) ALLinto/etc/sudoers - Check new user groups:
groups NEWUSER
SSH auth
Create authorized_keys
# create .ssh/authorized_keys if not exist
mkdir /home/NEWUSER/.ssh
touch /home/NEWUSER/.ssh/authorized_keysEnter public key(s)
copy your public key(s) into authorized_keys
Set permissions
# make user owner
chown -R NEWUSER:NEWUSER /home/NEWUSER/.ssh
# 700 at most
chmod 700 /home/NEWUSER/.ssh
# 600 or 400
chmod 600 /home/NEWUSER/.ssh/authorized_keysEnable SSH key authentication
edit /etc/ssh/sshd_config and carefully set:
PubkeyAuthentication yes
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin prohibit-passwordrestart sshd: systemctl restart ssh
test: ssh -v NEWUSER@SERVER_IP
Firewall
set to strict
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp # Allow SSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enableUpgrades
enable unattended upgrades
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgradesSet timezone
sudo timedatectl set-timezone Lithuania/VilniusFail2Ban
# install
sudo apt install fail2banadd your IP to whitelist and increase jail time. Make copy of jain.conf
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.localChange defaults to:
# change:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 #replace with your IP(s)
bantime = 24h #default 10m is nothing
findtime = 30m #default 10m is also too little. Maybe even 1h or 2h
maxretry = 3 #default is 5
[SSHD]
enabled = true #ensure it's trueRestart service and check what’s banned. Will be a lot
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd