Hardening Linux Server Security

** This page is a continuous work-in-progress as I come across things and have time to update **

I know, another incomplete article.  I work a lot faster than I have time to add content to my blog articles.  But I promise to eventually get to them.  I mostly keep creating new ones as place-holders, and to come back and look at myself later.

Anyways, moving on…

When you deploy a server that is not behind extra security layers such as those in front of a VPS on Google’s Cloud Platform (GCP), there are quite a few steps you need to take to harden your server in the context of security.  These should be done no matter your deployment scenario, but is especially true if your server is facing the public internet.

The context of this article is based on a Virtual Private Server (VPS) that is running Fedora Server 26.  Adjustment for your own environment should be done accordingly.

SSH

Securing SSH on your server is the most obvious and biggest one.

As soon as your server goes live, there are thousands of bots on the internet that will be pounding your VPS trying to get in via SSH.  You can even verify this by logging in to your VPS via SSH, and you’ll see how many tens of thousands of failed SSH login attempts there were.

You want to use Key-based Authentication and nothing else.  There really is no exception to this.

Key-based SSH Authentication

In this example, I’ll cover two scenarios for connecting to your VPS using key-based authentication:  PuTTy and via Terminal on a Linux desktop using the SSH command.

  1. Disable standard password authentication:
    1. Edit the following file:
      vi /etc/ssh/sshd_config
    2. Change the following like to:
      PasswordAuthentication no
    3. Restart SSH:
      service sshd restart
  2. Generate an SSH key pair:
    1. Enter the following to create an SSH key pair:
      ssh-keygen -t rsa -b 4096
    2. Hit enter to save in default location with default file name.
    3. Enter a passphrase for your private key, and again to confirm.
  3. To authenticate from your Linux desktop computer, to your VPS, you need to add your desktop computers’ public key to the /root/.ssh/authorized_keys file on your VPS (or to whichever user folder you are using to log on to your VPS).
    1. If you are using Linux, follow step 2 on your Linux Desktop to create a key-pair.  Then add your Linux Desktops’ public key to the authorized_keys file on your VPS.
    2. If you are on Windows, you can use PuTTYgen to generate a key-pair to use with PuTTY.
      1. Configure PuTTY to use your Desktops’ private key, after you add its public key to the authorized_keys file on your VPS.

Checking Logs

You can check your logs to see recent successful logins, or all attempts:

last

/var/log/messages

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *