146
edits
No edit summary |
(Removing a user from sudo group and removing an authorized key) |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 20: | Line 20: | ||
usermod -aG sudo USERNAME | usermod -aG sudo USERNAME | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* To remove a user from <code>sudo</code> group | |||
<syntaxhighlight lang="bash"> | |||
sudo gpasswd -d USERNAME sudo | |||
</syntaxhighlight> | |||
Also, to remove their ability to ssh as root, remove their public key from <code>.ssh/authorized_keys</code> | |||
== Security (only need to do this at setup) == | == Security (only need to do this at setup) == | ||
Line 38: | Line 46: | ||
=== [[Fail2Ban]] === | === [[Fail2Ban]] === | ||
Install | ==== Install ==== | ||
<pre> | <pre> | ||
apt install fail2ban | apt install fail2ban | ||
Line 67: | Line 76: | ||
</pre> | </pre> | ||
== | === IPTables === | ||
Again following [[Mastodon/Setup]] | |||
==== Install ==== | |||
<pre> | |||
apt install -y iptables-persistent | |||
</pre> | |||
Decline the dialog asking if you want to preserve existing iptables configs (if you say yes then the commands below will fail for some reason) | |||
==== Configuration ==== | |||
* '''IPv4:''' Edit <code>/etc/iptables/rules.v4</code> | |||
<pre> | |||
*filter | |||
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |||
# Accept all established inbound connections | |||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
# Allow all outbound traffic - you can modify this to only allow certain traffic | |||
-A OUTPUT -j ACCEPT | |||
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |||
-A INPUT -p tcp --dport 80 -j ACCEPT | |||
-A INPUT -p tcp --dport 443 -j ACCEPT | |||
# Allow SSH connections | |||
# The -dport number should be the same port number you set in sshd_config | |||
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |||
# Allow ping | |||
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |||
# Allow destination unreachable messages, espacally code 4 (fragmentation required) is required or PMTUD breaks | |||
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | |||
# Log iptables denied calls | |||
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |||
# Reject all other inbound - default deny unless explicitly allowed policy | |||
-A INPUT -j REJECT | |||
-A FORWARD -j REJECT | |||
COMMIT | |||
</pre> | |||
* '''IPv6:''' Edit <code>/etc/iptables/rules.v6</code> | |||
<pre> | |||
*filter | |||
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT ! -i lo -d ::1/128 -j REJECT | |||
# Accept all established inbound connections | |||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
# Allow all outbound traffic - you can modify this to only allow certain traffic | |||
-A OUTPUT -j ACCEPT | |||
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |||
-A INPUT -p tcp --dport 80 -j ACCEPT | |||
-A INPUT -p tcp --dport 443 -j ACCEPT | |||
# Allow SSH connections | |||
# The -dport number should be the same port number you set in sshd_config | |||
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |||
# Allow ping | |||
-A INPUT -p icmpv6 -j ACCEPT | |||
# Log iptables denied calls | |||
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |||
# Reject all other inbound - default deny unless explicitly allowed policy | |||
-A INPUT -j REJECT | |||
-A FORWARD -j REJECT | |||
COMMIT | |||
</pre> | |||
Then reload the rules: | |||
<syntaxhighlight lang="bash"> | |||
iptables-restore < /etc/iptables/rules.v4 | |||
ip6tables-restore < /etc/iptables/rules.v6 | |||
</syntaxhighlight> |