Updates
Updating packages and dependencies:
sudo apt update && apt upgrade
Enable automatic updates for existing packages:
sudo apt dist-upgrade
Enable automatic updates:
sudo apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades
User
Create a new user:
adduser {your-name}
Give it a secure password! Only login via this user not using root! This will be your password to access the server via ssh, so hackers will try to bruteforce.
Add user to sudo group:
addmod -aG sudo {your-name}
SSH
Change ssh port:
sudo nano /etc/ssh/sshd_config
# Port 22 → Port 535
| use anything between 0-1023 (Well Known Ports range)
Only use IPv4:
AddressFamily any → AddressFamily inet
Dont let Root login:
PermitRootLogin yes → PerminRootLogin no
Disable password login:
# PasswordAuthentication yes → PasswordAuthentication no
Only apply this when you generated an SSH key!
sudo systemctl restart sshd
Generate SSH key
Generate SSH key pair on the server:
ssh-keygen -t ecdsa -q -N '' -f {file-name}
It will create the files server-admin
(the private key) and server-admin.pub
(the public key). The option -N ''
tells to the command ssh-keygen
to generate a key pair without password.
We want to append the public key to ~/.ssh/authorized_keys
, but first let’s make sure that the directory exists and has propper permissions:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cat {file-name}.pub >> ~/.ssh/authorized_keys
#rm {file-name}.pub
Login with private key
We want to transfer the private key to our local machine (laptop). We can just copy/paste its content or we can use scp
like this:
scp -P 22 root@10.11.12.13:~/{file-name} .
chmod 600 {file-name}
Now let’s try to login using this private key:
ssh -i {file-name} root@10.11.12.13
To make things easier, let’s create a configuration file on ~/.ssh
(on the local machine):
touch ~/.ssh/config
chmod 600 ~/.ssh/config
cat >> ~/.ssh/config <<EOF
Host {your-server}
HostName {ip}
Port 22
User root
IdentityFile ~/.ssh/{file-name}.key
IdentitiesOnly yes
EOF
mv server-admin ~/.ssh/{file-name}.key
chmod 600 ~/.ssh/{file-name}.key
Firewall
Install Firewall ufw (Uncomplicated Firewall):
sudo apt install ufw
Allow ssh port:
sudo ufw allow 22
Enable ufw:
sudo ufw enable
Fail2ban
Install Fail2ban:
sudo apt install -y fail2ban
Check status:
fail2ban-client status
fail2ban-client status sshd