Tuesday, March 30, 2021

Linux Server Default Hardening

### Ubuntu update packages ###

sudo bash
apt-get update
apt-get upgrade
apt dist-upgrade

### Ubuntu install unattended-upgrades ###

sudo bash
apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades

### Ubuntu create user ###

sudo bash
adduser <myuser>

### Ubuntu sudo group ###
usermod -aG sudo <myuser>

### Create KeyPairs instead of Passwords on your workstation ###

mkdir ~/.ssh && chmod 700 ~/.ssh #####On your workstation not server####
ssh-keygen -b 4096






### Copy public key to server ###
ssh-copy-id <myuser>@myserver


### /etc/ssh/sshd_config settings to consider changing ###

Port 22
AddressFamily inet
PermitRootLogin no
PasswordAuthentication no

### Restart sshd ###

sudo systemctl restart sshd

I was working this and I found this great video by NetworkChuck's! Please visit his site and like/subscribe to his pages. I am a big fan of his.

STEP 1 - Enable Automatic Updates

Manual Updates:

apt update
apt dist-upgrade


Automatic Updates:

apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades


STEP 2 - Create a Limited User Account

Create a User:

adduser {username}


Add user to the sudo group:

usermod -aG sudo {username}


STEP 3 - Passwords are for SUCKERS!

Create the Public Key Directory on your Linux Server

mkdir ~/.ssh && chmod 700 ~/.ssh


Create Public/Private keys on your computer

ssh-keygen -b 4096


Upload your Public key to the your Linux Server (Windows)

scp $env:USERPROFILE/.ssh/id_rsa.pub {username}@{server ip}:~/.ssh/authorized_keys

Upload your Public key to the your Linux Server (MAC)

scp ~/.ssh/id_rsa.pub {username}@{server ip}:~/.ssh/authorized_keys

Upload your Public key to the your Linux Server (LINUX)

ssh-copy-id {username}@{server ip}


STEP 4 - Lockdown Logins

Edit the SSH config file

sudo nano /etc/ssh/sshd_config


STEP 5 - FIREWALL IT UP

See open ports

sudo ss -tupln

Install UFW

apt install ufw

See UFW status

sudo ufw status

Allow port through firewall

sudo ufw allow {port number}

Enable Firewall

sudo ufw enable

Reload Firewall

sudo ufw reload


Drop pings

Edit the UFW config file

sudo nano /etc/ufw/before.rules

Add this line of config:

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP





No comments:

Post a Comment