146
edits
m (→Configure sshd) |
(Removing a user from sudo group and removing an authorized key) |
||
(8 intermediate revisions by 3 users not shown) | |||
Line 20: | Line 20: | ||
usermod -aG sudo USERNAME | usermod -aG sudo USERNAME | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* To remove a user from <code>sudo</code> group | |||
<syntaxhighlight lang="bash"> | |||
sudo gpasswd -d USERNAME sudo | |||
</syntaxhighlight> | |||
Also, to remove their ability to ssh as root, remove their public key from <code>.ssh/authorized_keys</code> | |||
== Security (only need to do this at setup) == | == Security (only need to do this at setup) == | ||
Line 34: | Line 42: | ||
* Restart ssh otherwise the changes to sshd don't take effect!<syntaxhighlight lang="bash"> | * Restart ssh otherwise the changes to sshd don't take effect!<syntaxhighlight lang="bash"> | ||
service ssh restart | service ssh restart | ||
</syntaxhighlight> | |||
=== [[Fail2Ban]] === | |||
==== Install ==== | |||
<pre> | |||
apt install fail2ban | |||
</pre> | |||
==== Configuration ==== | |||
Editing <code>/etc/fail2ban/jail.local</code>, using the defaults from [[Mastodon/Setup]] | |||
<syntaxhighlight lang="toml"> | |||
[DEFAULT] | |||
destemail = your@email.here | |||
sendername = Fail2Ban | |||
[sshd] | |||
enabled = true | |||
port = 22 | |||
[sshd-ddos] | |||
enabled = true | |||
port = 22 | |||
</syntaxhighlight> | |||
Then restart the service | |||
<pre> | |||
systemctl restart fail2ban | |||
</pre> | |||
=== IPTables === | |||
Again following [[Mastodon/Setup]] | |||
==== Install ==== | |||
<pre> | |||
apt install -y iptables-persistent | |||
</pre> | |||
Decline the dialog asking if you want to preserve existing iptables configs (if you say yes then the commands below will fail for some reason) | |||
==== Configuration ==== | |||
* '''IPv4:''' Edit <code>/etc/iptables/rules.v4</code> | |||
<pre> | |||
*filter | |||
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |||
# Accept all established inbound connections | |||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
# Allow all outbound traffic - you can modify this to only allow certain traffic | |||
-A OUTPUT -j ACCEPT | |||
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |||
-A INPUT -p tcp --dport 80 -j ACCEPT | |||
-A INPUT -p tcp --dport 443 -j ACCEPT | |||
# Allow SSH connections | |||
# The -dport number should be the same port number you set in sshd_config | |||
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |||
# Allow ping | |||
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |||
# Allow destination unreachable messages, espacally code 4 (fragmentation required) is required or PMTUD breaks | |||
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | |||
# Log iptables denied calls | |||
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |||
# Reject all other inbound - default deny unless explicitly allowed policy | |||
-A INPUT -j REJECT | |||
-A FORWARD -j REJECT | |||
COMMIT | |||
</pre> | |||
* '''IPv6:''' Edit <code>/etc/iptables/rules.v6</code> | |||
<pre> | |||
*filter | |||
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT ! -i lo -d ::1/128 -j REJECT | |||
# Accept all established inbound connections | |||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
# Allow all outbound traffic - you can modify this to only allow certain traffic | |||
-A OUTPUT -j ACCEPT | |||
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |||
-A INPUT -p tcp --dport 80 -j ACCEPT | |||
-A INPUT -p tcp --dport 443 -j ACCEPT | |||
# Allow SSH connections | |||
# The -dport number should be the same port number you set in sshd_config | |||
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |||
# Allow ping | |||
-A INPUT -p icmpv6 -j ACCEPT | |||
# Log iptables denied calls | |||
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |||
# Reject all other inbound - default deny unless explicitly allowed policy | |||
-A INPUT -j REJECT | |||
-A FORWARD -j REJECT | |||
COMMIT | |||
</pre> | |||
Then reload the rules: | |||
<syntaxhighlight lang="bash"> | |||
iptables-restore < /etc/iptables/rules.v4 | |||
ip6tables-restore < /etc/iptables/rules.v6 | |||
</syntaxhighlight> | </syntaxhighlight> |