Quick guide to setup and make a server "secure"
Once you get your root access to the server, that's cool but not very safe.
Connect to the server
passwd to change the root password
Create new sudoer user on the server
Edit sudoers file
louis ALL=(ALL) ALL
Create local keys
On your local machine, create a set of keys using
ssh-keygen -t rsa
You'll get 2 files,
id_rsa.pub. That last one is the public key.
Copy the public key to the server
scp ~/.ssh/id_rsa.pub firstname.lastname@example.org:/home/louis/
Setup the public for the new user
Login to the server with root
.ssh folder in your home folder (for instance:
id_rsa.pub to the
.ssh folder and rename it as
mv /home/louis/id_rsa.pub /home/louis/.ssh/authorized_keys
Set permissions properly.
chown -R louis:louis /home/louis/.ssh
chmod 700 /home/louis/.ssh
chmod 600 /home/louis/.ssh/authorized_keys
Change SSH configuration
Edit the ssh configuration file
Port 22 <--- change to a port of your choosing Protocol 2 PermitRootLogin no PasswordAuthentication no UseDNS no AllowUsers louis
Change this as you want, this is just an example with for strict SSH access.
PermitRootLogin can be changed to
without-password so you can only login using a private key.
Restart SSH service
sudo service sshd restart or
sudo service ssh restart depending on your distrib.
Test loging in
ssh -i ~/.ssh/id_rsa email@example.com
Setup your firewall - iptables
We'll be using the well known
Copy and paste the
script-init-iptables.sh into a file.
Give that file exec permission
chmod +x script-init-iptables.sh and run it
Be aware that if something goes wrong, you can get locked out of your own server. Use this file with caution.
You can use
iptables -L to look at the current rules.
Block bots - Setup fail2ban
apt-get install fail2ban
Create and edit a custom config file for fail2ban
sudo nano /etc/fail2ban/jail.local
Basically, you can copy rules from
jail.conf that you want to customize.
Then enable fail2ban for some services
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log
[ssh] enabled = true port = ssh,sftp filter = sshd logpath = /var/log/auth.log
Before that, check that your SSH is correctly logging failed attempts into the log file. Same for all your rules. If nothing is logged into files, fail2ban is pretty much useless.
sudo service fail2ban restart to make the changes active. If it fails, it might be that your config file is not correct. Just comment some rules and try reload it, until you find the rule that's breaking it.
sudo fail2ban-client status will show you the current status of fail2ban
Status |- Number of jail: 2 `- Jail list: ssh, sshd
And to get details about a jail, use
sudo fail2ban-client status ssh
Status for the jail: ssh |- Filter | |- Currently failed: 1 | |- Total failed: 2 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
More to come...
Setup spam protection
More to come