Sep 8, 2022
Security Check-up — Installing Firewall and Creating an SSH User
This guide is written with a clean server in mind. We have a fresh Ubuntu 20.04 install and logged in as root.
🌟 Let’s start with some updates
Update system
apt update & apt upgradeChange passwords (if needed)
passwdInstall firewall
apt install ufwAdd block/allow list
ufw deny to 10.0.0.0/8
ufw deny from 10.0.0.0/8
ufw deny to 172.0.0.0/24
ufw deny from 172.0.0.0/24
ufw deny to 172.16.0.0/12
ufw deny from 172.16.0.0/12
ufw deny to 192.168.0.0/16
ufw deny from 192.168.0.0/16
ufw deny to 100.64.0.0/10
ufw deny from 100.64.0.0/10
ufw deny to 169.254.0.0/16
ufw deny from 169.254.0.0/16
ufw deny out from any to 10.0.0.0/8
ufw deny out from any to 172.16.0.0/12
ufw deny out from any to 192.168.0.0/16
ufw deny out from any to 100.64.0.0/10
ufw deny out from any to 198.18.0.0/15
ufw deny out from any to 169.254.0.0/16
ufw allow 30321
ufw allow 22Enable firewall
ufw enableCheck firewall status
ufw status😎Everything looks okay? Let’s move on to the next step
➡️ Installing fail2ban and creating an ssh user to log in with.
Install fail2ban
apt-get install -y fail2banCopy config to local file
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit jail file
nano /etc/fail2ban/jail.localConfig example
[sshd]# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and det>
#mode = normal
enabled = true
maxretry = 5
findtime = 1d
bantime = 4w
ignoreip = 127.0.0.1/8 add.your.ip.here
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s📍Example
🪄 Use CTRL-X to quit, press Y and ENTER to confirm
Start and enable fail2ban
systemctl start fail2ban
systemctl enable fail2ban💡 Now, it’s time to create a sudo user
Add sudo user
adduser usernameGive permissions
usermod -aG sudo usernameLog into sudo user
su - usernameCreate ssh user
sudo adduser sshexample(replace with desired name)Give permissions
sudo usermod -aG ssh sshexampleMake ssh user folder
sudo mkdir -p "/home/sshexample/.ssh"Add permissions to ssh user folder
sudo chmod 0700 "/home/sshexample/.ssh"Take ownership of ssh user folder
sudo chown "sshexample:sshexample" "/home/sshexample/.ssh"Create authorized keys file and add your ssh key
sudo nano "/home/sshexample/.ssh/authorized_keys"COPY/PASTE YOUR SSH KEY (See example below, generated in Puttygen:)
CTRL-X to quit, press Y and ENTER to confirm
Take ownership of authorized keys file
sudo chown "sshexample:sshexample" "/home/sshexample/.ssh/authorized_keys"Add permissions to authorized keys file
sudo chmod 0600 "/home/sshexample/.ssh/authorized_keys"Edit ssh settings
sudo nano /etc/pam.d/sshdComment out this line with #
#@include common-auth
CTRL-X to quit, press Y and ENTER to confirm
Edit ssh config
sudo nano /etc/ssh/sshd_configEdit/uncomment (remove #) these lines
Port 22
PermitRootLogin no (optional)
PasswordAuthentication no
UsePAM yes
🌟 Suggested configuration of ssh
Add this line at the end
AuthenticationMethods publickeyCTRL-X to quit, press Y and ENTER to confirm
Restart ssh
sudo service sshd restart🚫WARNING🚫
✅ Check login with SSH in new session, while keeping the old one open (exit out of the new window if the ssh login works)
📍 If it’s not working, retrace your steps and see what went wrong, otherwise continue on to the next part.
Switch to root and reboot
sudo su
rebootOur MAP Protocol community has also contributed to this piece. 💙 Huge thanks to the community!
About MAP Protocol
MAP Protocol is the omnichain layer for Web3 with fully secure cross-chain communication built on Light-client and zk-SNARK technology. MAP provides the cross-chain infrastructure to public chains and dApps by connecting both EVM with non-EVM chains. Developers can access a full suite of SDKs so their dApps can easily become omnichain applications.
Litebook | Website | Twitter | Medium | Telegram | GitHub | LinkedIn
