Just some tips for some extra security.
1. It is recommended to use
ed25519 instead of the default
rsa encryption for SSH keys.
Code:
ssh-keygen -t ed25519 -a 100 -C "my ot server"
The -C flag is to just add a comment to the key, makes it easier for you to distinguish what the key is for, if you have many OT server machines with SSH keys.
------------------------------------------------------------------------------------------------
2. It is recommended to change your default SSH port to something else, to lower the chance of bruteforce attacks.
Code:
sudo nano /etc/ssh/sshd_config
Uncomment the line with "
#Port 22" by removing the # and then enter any other port you may want that isn't used by anything else.
E.g.
Port 21073
When you SSH into your machine you must add the -p flag followed by the port.
If you use password authentication, it looks like this:
ssh root@<ip-address> -p 21073
If you use SSH keys, you run:
ssh root@<ip-address> -p 21073 -i <key-filename>
------------------------------------------------------------------------------------------------
3. Do not disable
ufw firewall. Instead, it should always be
enabled!
Do not forget to add the SSH port (in my example, 21073)
Simply run these:
Code:
sudo apt install ufw
sudo systemctl enable ufw
sudo systemctl start ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 21073
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 3306
sudo ufw allow 7171
sudo ufw allow 7172
sudo systemctl restart ufw
Then check that ufw is enabled and what ports have been added:
Code:
systemctl status ufw
ufw status
------------------------------------------------------------------------------------------------
4. Disable root login and create a non-root user for the machine.
By doing that, an attacker must know your custom username for SSH.
The non-root user is only used to later on enter into root!
You need to again edit the file:
/etc/ssh/sshd_config and remove the root login.
For SSH keys, also remove the password authentication in the file.
Basically, you go from this:
(Your Local PC) -> Root
To this:
(Your Local PC) -> Non-Root User -> Root
Look up how to add a user and edit the SSH config. It is not hard.
So when you SSH into the machine, you can either run:
or
And then later on go into root.
------------------------------------------------------------------------------------------------
5. Install fail2ban to mitigate bruteforce attacks. Make sure to not just install & enable it, but to actually edit the configuration file for it! Otherwise it is useless. If someone tries to connect multiple times to your machine, they will be IP blocked. This helps against SSH bruteforce attacks.
Code:
sudo apt install fail2ban
systemctl enable fail2ban
systemctl start fail2ban
Make copies of the default config files and then edit the new files:
Code:
cd /etc/fail2ban
cp fail2ban.conf fail2ban.local
cp jail.conf jail.local
sudo nano jail.local
Simply add this line "
enabled = true" to any JAILs you may want to enable fail2ban for.
If you don't know how fail2ban jails work, then look it up on their documentation!
Only enable fail2ban for the things you want to protect.
For example, you want to protect your SSH, your web server, your database!
But you do NOT want to protect it on port 7171 or 7172.
Cus then you may IP ban players for some time, if they enter incorrect password.
And you probably don't want that, hehe
--------------------------------
tl/dr:
1. Use SSH keys
2. Use a very strong encryption for SSH keys
3. Change the default SSH port
4. Install and enable ufw firewall, configure the ports you want to use
5. Disable root login for SSH and add a non-root user
6. Install fail2ban and configure its "jails"
BONUS: Only allow your non-root user to SSH, by editing:
sudo nano /etc/ssh/sshd_config
Add a new line anywhere in that file and write:
AllowUsers <username>
So you only add your non-root user(s) to the login. You separate them by space.
So if you have the non-root users "john" and "sarah", add:
AllowUsers john sarah