I had a lot to learn running a dedicated server, and I still have a long way to go. I wanted to post some help for those who are just starting out. This does follow with Redhat's guide in here about putty and what not, and I hope this adds to his discussion. I just threw together the stuff I researched first and the steps I took to be a little more secure. I hope this helps.
If logging into your server for the first time as root, you need to create a new user. Never use root to SSH into the machine. Run this command to create a new user,
Now we want to add the user we just created to the sudo group so you can use root privileges,
Once that is done, you want to disconnect the current ssh session, and reconnect using your new user.
Now we want to lock the root user(sudo su will grant you root privileges still, this just locks down the literal root user),
Now we want to configure our SSH sessions to use a different port than the standard one. This will make it more difficult for sniffers to determine where you are listening for SSH. If you want more security I recommend looking into, port knocking. Check out my tutorial
Edit your SSH config
run,
Locate the port field and change it to whatever you want under 1024, higher if you'd like. Just make sure it does not conflict with another port you may be using such as port 80
Also in the same config file we want to disable root login through SSH. Change the permit root login field to no.
Save, exit, and give your services a restart, run,
Now we want to limit su access only to admins(run as root). This will cause only users you have added to the sudo group to be able to access root privileges. run,
This next step is optional, it creates an RSA key that you use to connect to your server rather than a password. You can even disable password authentication on SSH completely.
We want to create an RSA key to login through SSH, so we don't have to type in a password.
This tutorial will use putty, and puttyGen.
Generate RSA keys with puttyGen on client machine
Save public and private to keys folder
Copy text in textField within puttygen
With Putty connect to your server and run,
If nothing comes up, run this command to generate a hidden .ssh folder. Just hit enter through all the prompts, you don't need to answer any of them. Run,
Then change to the hidden ssh directory,
Then create an authorized keys directory,
then open the file,
Paste the key we generated from puttyGen in the earlier step into this file, then save and exit.
Give your SSH service a restart,
End your SSH session and open Putty.
Once Putty is open, under the category tree on the left expand SSH under Connection and select Auth without expanding it.
The last field will be for a private key file, browse and select the private key we generated and saved with Putty in the first step.
Now return to Session in the category tree on the left and enter your host and port numbers. You should now be able to login without typing in your password. You can save that config within Putty so you don't have to select the private key each time, just store the session.
If you want to go one step further you can disable password login all together, but if this is the route you choose, make sure you test your RSA key and confirm you can login with it. Once you do this, if you have a problem with your key you will not be able to login at all. I found this out the hard way.
As root,(sudo su), run,
Find passwordAuth and set to no,
Then give your SSH service a restart, and you should be good to go,
Now SSH password authentication is completely disabled for that user.
Now what really opened my eyes was thinking this way about everything I put on my server, what ports does it run on, what vulnerabilities does the stuff I run open me up to you know? Just thinking about SSH made me start thinking, fuck I wonder what else is vulnerable. It made me start researching things in a different way and think about my server in a different way. So anyway, hope it helps someone.
Next get going on installin fail2ban
If logging into your server for the first time as root, you need to create a new user. Never use root to SSH into the machine. Run this command to create a new user,
sudo adduser userName
Now we want to add the user we just created to the sudo group so you can use root privileges,
usermod -aG sudo userName
Once that is done, you want to disconnect the current ssh session, and reconnect using your new user.
Now we want to lock the root user(sudo su will grant you root privileges still, this just locks down the literal root user),
sudo passwd -l root
Now we want to configure our SSH sessions to use a different port than the standard one. This will make it more difficult for sniffers to determine where you are listening for SSH. If you want more security I recommend looking into, port knocking. Check out my tutorial
Tutorial - Port Knocking
This tutorial uses knockd and iptables on the server, as well as on the client if preferred. The below commands are ran on the server, make sure to test before you implement so you can tweak it to your exact needs. -Server Side- sudo apt-get update && apt-get upgrade ufw disable apt-get install...
www.worldofiptv.com
Edit your SSH config
run,
sudo nano /etc/ssh/sshd_config
Locate the port field and change it to whatever you want under 1024, higher if you'd like. Just make sure it does not conflict with another port you may be using such as port 80
Also in the same config file we want to disable root login through SSH. Change the permit root login field to no.
permitRootLogin no
Save, exit, and give your services a restart, run,
sudo service ssh restart
Now we want to limit su access only to admins(run as root). This will cause only users you have added to the sudo group to be able to access root privileges. run,
sudo dpkg-statoverride --update --add root sudo 4750 /bin/su
This next step is optional, it creates an RSA key that you use to connect to your server rather than a password. You can even disable password authentication on SSH completely.
We want to create an RSA key to login through SSH, so we don't have to type in a password.
This tutorial will use putty, and puttyGen.
Generate RSA keys with puttyGen on client machine
Save public and private to keys folder
Copy text in textField within puttygen
With Putty connect to your server and run,
ls -l ~/.ssh,
If nothing comes up, run this command to generate a hidden .ssh folder. Just hit enter through all the prompts, you don't need to answer any of them. Run,
ssh-keygen
Then change to the hidden ssh directory,
cd ~/.ssh/
Then create an authorized keys directory,
touch authorized_keys
then open the file,
nano authorized_keys
Paste the key we generated from puttyGen in the earlier step into this file, then save and exit.
Give your SSH service a restart,
sudo service ssh restart
End your SSH session and open Putty.
Once Putty is open, under the category tree on the left expand SSH under Connection and select Auth without expanding it.
The last field will be for a private key file, browse and select the private key we generated and saved with Putty in the first step.
Now return to Session in the category tree on the left and enter your host and port numbers. You should now be able to login without typing in your password. You can save that config within Putty so you don't have to select the private key each time, just store the session.
If you want to go one step further you can disable password login all together, but if this is the route you choose, make sure you test your RSA key and confirm you can login with it. Once you do this, if you have a problem with your key you will not be able to login at all. I found this out the hard way.
As root,(sudo su), run,
nano /etc/ssh/sshd_config
Find passwordAuth and set to no,
PasswordAuthentication no
Then give your SSH service a restart, and you should be good to go,
sudo service ssh restart
Now SSH password authentication is completely disabled for that user.
Now what really opened my eyes was thinking this way about everything I put on my server, what ports does it run on, what vulnerabilities does the stuff I run open me up to you know? Just thinking about SSH made me start thinking, fuck I wonder what else is vulnerable. It made me start researching things in a different way and think about my server in a different way. So anyway, hope it helps someone.
Next get going on installin fail2ban
Last edited: