Default server (secure config)

This configuration fit for most secure servers.

1 Creates user

adduser user_bob          # Add user_bob

apt-get install sudo

adduser user_bob sudo     # Add sudo priveleges to user_bob

Login to SSH using the user_bob account you setup.

sudo su

passwd -dl root               # Disable the root account

sudo systemctl restart sshd   # Restart the SSH service

2 Add Key for user

# Add publick key to server

ssh-copy-id -i ~/.ssh/id_rsa.pub user_bob@example.com

3 Options SSH

sudo nano /etc/ssh/sshd_config

# Use next options for key and pass access to server

PermitRootLogin no            # root login dasable

PasswordAuthentication yes    # For password authentication

AllowUsers user_bob           # Allow access only for this users

sudo systemctl restart sshd   # Restart the SSH service

*CentOS use space in AllowUsers.

4 Install Fail2ban

Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts.

apt-get install fail2ban

The service automatically starts on Debian\Ubuntu.

5 Options iptables

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Access from some static address

iptables -A INPUT -s 265.265.265.265 -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Or full access to 22 port

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Drop rules

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

6 Save iptables

apt install iptables-persistent 

netfilter-persistent save

netfilter-persistent reload 

7 Add SWAP space

# Show SWAP space

sudo swapon --show

# Or

free -h

# Check current file system state

df -h

# Create 1 Gb SWAP file

sudo fallocate -l 1G /swapfilenew

sudo chmod 600 /swapfilenew

sudo mkswap /swapfilenew

# Activate SWAP

sudo swapon /swapfilenew

# Check result

sudo swapon --show

# create backup copy fstab

sudo cp /etc/fstab /etc/fstab.bak

# Add line to fstab

echo '/swapfilenew none swap sw 0 0' | sudo tee -a /etc/fstab

# Disable the old swapfile if you had it before

sudo swapoff /swapfile

8 Set Hostname

# Use hostnamectl command

sudo hostnamectl set-hostname some_hostname

# Add another record for the hostname in /etc/hosts

sudo vim /etc/hosts

127.0.1.1 some_hostname

# Next reboot

sudo systemctl reboot