Secure the server
1. Install firewalld and fail2ban
Let’s try to protect the server from the attacks.
# install firewalld
apt install --yes firewalld
firewall-cmd --list-all
firewall-cmd --permanent --zone=public --set-target=DROP
firewall-cmd --reload
# install fail2ban
apt install --yes fail2ban python3-systemd
cat <<EOF > /etc/fail2ban/jail.local
[DEFAULT]
backend = systemd
EOF
systemctl restart fail2ban
fail2ban-client status
fail2ban-client status sshd
Their default configuration is usually fine, so for the time being we don’t need to change anything.
2. Disable password login
If you are using a password to login to the server, it is strongly recommended to enable key-based login and to disable password login.
2.1. Generate SSH key
Generate e SSH key pair on the server, like this:
ssh-keygen --help
ssh-keygen -t ecdsa -q -N '' -f server-admin
It will create the files server-admin
(the private key) and
server-admin.pub
(the public key). The option -N ''
tells to the command ssh-keygen
to generate a key pair without
password.
We want to append the public key to ~/.ssh/authorized_keys
, but
first let’s make sure that the directory exists and has propper
permissions:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cat server-admin.pub >> ~/.ssh/authorized_keys
rm server-admin.pub
2.2. Login with private key
We want to transfer the private key to our local machine (laptop). We
can just copy/paste its content or we can use scp
like this:
scp root@10.11.12.13:~/server-admin .
chmod 600 server-admin
ssh root@10.11.12.14 rm server-admin
Now let’s try to login using this private key:
ssh -i server-admin root@10.11.12.13
You should be able to login without a password.
To make things easier, let’s create a configuration file on
~/.ssh
(on the local machine):
touch ~/.ssh/config
chmod 600 ~/.ssh/config
cat >> ~/.ssh/config <<EOF
Host server1
HostName 10.11.12.13
Port 22
User root
IdentityFile ~/.ssh/server1.key
IdentitiesOnly yes
EOF
mv server-admin ~/.ssh/server1.key
chmod 600 ~/.ssh/server1.key
Now you should be able to login to the server just by giving ssh
server1
. You don’t need to remember the IP of the server, the port,
the identity file (private key), etc. It’s so convenient!
2.3. Disable password login
Now that we can login with an identity file (private key), we can disable the password login on the server, to make it more secure. Someone may guess a password, or may find it by a brute force attack (trying lots of passwords), but it is almost impossible to guess or find a private key.
Edit the file /etc/ssh/sshd_config
on the server and make sure
to change the setting PasswordAuthentication
from yes to no:
#PasswordAuthentication yes PasswordAuthentication no
Save the file and restart the sshd service:
systemctl restart sshd
Make sure that you can still login with the private key.
Test also that you cannot login with a password anymore.
3. Change the SSH port
This is another step for making the server a bit more secure.
-
Edit
/etc/ssh/sshd_config
on the server and change the port from 22 to something else (for example with 4 or 5 digits), like this:#Port 22 Port 1234
-
Open the new port in the firewall:
firewall-cmd --zone=public --add-port=1234/tcp
-
Restart the SSH service
systemctl restart sshd
-
Change the port in
~/.ssh/config
on the local machine and test that you can still login to the server. -
Make the firewall change permanent:
firewall-cmd --permanent --zone=public --add-port=1234/tcp firewall-cmd --permanent --zone=public --remove-service=ssh
4. Use a script to login
The configuration file ~/.ssh/config
is convenient, but if you
want to login to the server from anywhere, you need something more
portable. In this case you can use a script like this:
#!/bin/bash
server=10.11.12.13
port=1234
keyfile=$(mktemp)
sed -n -e '/^-----BEGIN/,/^-----END/p' $0 > $keyfile
ssh -i $keyfile -p $port root@$server
rm -f $keyfile
exit 0
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRIRkXtvwyUiLDSLSqV0V0RClTakKDt
SkP/4besU++elsvtZaaY97GSdn0kTqF+0LiBCTOaEROgRHB7aKU8YjwjAAAAqJKniRSSp4
kUAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEhGRe2/DJSIsNIt
KpXRXREKVNqQoO1KQ//ht6xT756Wy+1lppj3sZJ2fSROoX7QuIEJM5oRE6BEcHtopTxiPC
MAAAAhAJXThzR7EhbYn9fykJaG5hUA4h+RCfIkpwo83yl+r/5qAAAADmRhc2hvQGRhc2hh
bWlyAQ==
-----END OPENSSH PRIVATE KEY-----
It includes the IP and the port along with the private key (identity
file), so that you don’t have to remember them. If this script is
called server1.sh
, make sure to give it the right permissions,
like this:
chmod 700 server1.sh