Security Check-up — Installing Firewall and Creating an SSH User

This guide is written with a clean server in mind. We have a fresh Ubuntu 20.04 install and logged in as root.

🌟 Let’s start with some updates

apt update & apt upgrade

Change passwords (if needed)

passwd

Install firewall

apt install ufw

Add block/allow list

ufw deny to 10.0.0.0/8
ufw deny from 10.0.0.0/8
ufw deny to 172.0.0.0/24
ufw deny from 172.0.0.0/24
ufw deny to 172.16.0.0/12
ufw deny from 172.16.0.0/12
ufw deny to 192.168.0.0/16
ufw deny from 192.168.0.0/16
ufw deny to 100.64.0.0/10
ufw deny from 100.64.0.0/10
ufw deny to 169.254.0.0/16
ufw deny from 169.254.0.0/16
ufw deny out from any to 10.0.0.0/8
ufw deny out from any to 172.16.0.0/12
ufw deny out from any to 192.168.0.0/16
ufw deny out from any to 100.64.0.0/10
ufw deny out from any to 198.18.0.0/15
ufw deny out from any to 169.254.0.0/16
ufw allow 30321
ufw allow 22

Enable firewall

ufw enable

Check firewall status

ufw status

😎Everything looks okay? Let’s move on to the next step

Install fail2ban

apt-get install -y fail2ban

Copy config to local file

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit jail file

nano /etc/fail2ban/jail.local

Config example

[sshd]# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and det>
#mode = normal
enabled = true
maxretry = 5
findtime = 1d
bantime = 4w
ignoreip = 127.0.0.1/8 add.your.ip.here
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

📍Example

🪄 Use CTRL-X to quit, press Y and ENTER to confirm

Start and enable fail2ban

systemctl start fail2ban
systemctl enable fail2ban

💡 Now, it’s time to create a sudo user

Add sudo user

adduser username

Give permissions

usermod -aG sudo username

Log into sudo user

su - username

Create ssh user

sudo adduser sshexample(replace with desired name)

Give permissions

sudo usermod -aG ssh sshexample

Make ssh user folder

sudo mkdir -p "/home/sshexample/.ssh"

Add permissions to ssh user folder

sudo chmod 0700 "/home/sshexample/.ssh"

Take ownership of ssh user folder

sudo chown "sshexample:sshexample" "/home/sshexample/.ssh"

Create authorized keys file and add your ssh key

sudo nano "/home/sshexample/.ssh/authorized_keys"

COPY/PASTE YOUR SSH KEY (See example below, generated in Puttygen:)

CTRL-X to quit, press Y and ENTER to confirm

Take ownership of authorized keys file

sudo chown "sshexample:sshexample" "/home/sshexample/.ssh/authorized_keys"

Add permissions to authorized keys file

sudo chmod 0600 "/home/sshexample/.ssh/authorized_keys"

Edit ssh settings

sudo nano /etc/pam.d/sshd

Comment out this line with #

#@include common-auth

CTRL-X to quit, press Y and ENTER to confirm

Edit ssh config

sudo nano /etc/ssh/sshd_config

Edit/uncomment (remove #) these lines

Port 22
PermitRootLogin no (optional)
PasswordAuthentication no
UsePAM yes

🌟 Suggested configuration of ssh

Add this line at the end

AuthenticationMethods publickey

CTRL-X to quit, press Y and ENTER to confirm

Restart ssh

sudo service sshd restart

🚫WARNING🚫

📍 If it’s not working, retrace your steps and see what went wrong, otherwise continue on to the next part.

Switch to root and reboot

sudo su
reboot

Our MAP Protocol community has also contributed to this piece. 💙 Huge thanks to the community!

About MAP Protocol

Litebook | Website | Twitter | Medium | Telegram | GitHub | LinkedIn

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
MAP Protocol 💙MAPO

Omnichain layer for Web3 with provably secure cross-chain communication built on Light-client & ZK technology.