Security Check-up — Installing Firewall and Creating an SSH User

🌟 Let’s start with some updates

Update system

apt update & apt upgrade
passwd
apt install ufw
ufw deny to 10.0.0.0/8
ufw deny from 10.0.0.0/8
ufw deny to 172.0.0.0/24
ufw deny from 172.0.0.0/24
ufw deny to 172.16.0.0/12
ufw deny from 172.16.0.0/12
ufw deny to 192.168.0.0/16
ufw deny from 192.168.0.0/16
ufw deny to 100.64.0.0/10
ufw deny from 100.64.0.0/10
ufw deny to 169.254.0.0/16
ufw deny from 169.254.0.0/16
ufw deny out from any to 10.0.0.0/8
ufw deny out from any to 172.16.0.0/12
ufw deny out from any to 192.168.0.0/16
ufw deny out from any to 100.64.0.0/10
ufw deny out from any to 198.18.0.0/15
ufw deny out from any to 169.254.0.0/16
ufw allow 30321
ufw allow 22
ufw enable
ufw status

😎Everything looks okay? Let’s move on to the next step

➡️ Installing fail2ban and creating an ssh user to log in with.

apt-get install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
[sshd]# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and det>
#mode = normal
enabled = true
maxretry = 5
findtime = 1d
bantime = 4w
ignoreip = 127.0.0.1/8 add.your.ip.here
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
systemctl start fail2ban
systemctl enable fail2ban

💡 Now, it’s time to create a sudo user

Add sudo user

adduser username

Give permissions

usermod -aG sudo username

Log into sudo user

su - username

Create ssh user

sudo adduser sshexample(replace with desired name)

Give permissions

sudo usermod -aG ssh sshexample

Make ssh user folder

sudo mkdir -p "/home/sshexample/.ssh"

Add permissions to ssh user folder

sudo chmod 0700 "/home/sshexample/.ssh"

Take ownership of ssh user folder

sudo chown "sshexample:sshexample" "/home/sshexample/.ssh"

Create authorized keys file and add your ssh key

sudo nano "/home/sshexample/.ssh/authorized_keys"

Take ownership of authorized keys file

sudo chown "sshexample:sshexample" "/home/sshexample/.ssh/authorized_keys"

Add permissions to authorized keys file

sudo chmod 0600 "/home/sshexample/.ssh/authorized_keys"

Edit ssh settings

sudo nano /etc/pam.d/sshd

Comment out this line with #

#@include common-auth

Edit ssh config

sudo nano /etc/ssh/sshd_config

Edit/uncomment (remove #) these lines

Port 22
PermitRootLogin no (optional)
PasswordAuthentication no
UsePAM yes

🌟 Suggested configuration of ssh

Add this line at the end

AuthenticationMethods publickey

Restart ssh

sudo service sshd restart

🚫WARNING🚫

✅ Check login with SSH in new session, while keeping the old one open (exit out of the new window if the ssh login works)

Switch to root and reboot

sudo su
reboot

Our MAP Protocol community has also contributed to this piece. 💙 Huge thanks to the community!

About MAP Protocol

MAP Protocol is the omnichain layer for Web3 with fully secure cross-chain communication built on Light-client and zk-SNARK technology. MAP provides the cross-chain infrastructure to public chains and dApps by connecting both EVM with non-EVM chains. Developers can access a full suite of SDKs so their dApps can easily become omnichain applications.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
MAP Protocol 💙MAPO

MAP Protocol 💙MAPO

4.3K Followers

Omnichain layer for Web3 with provably secure cross-chain communication built on Light-client & ZK technology.