Tuesday, September 24, 2019

Website Security with fresh Ubuntu 18.04 install

Note: Installation performed on a VPS KVM server

First update and upgrade

# apt update
# apt upgrade

Update Firewall (ufw)

Firewall needs to be enabled

# ufw enable
Verify firewall is active
# ufw status verbose
Allow access to port 22
# ufw allow 22
Configure firewall to allow the following additional ports:

  • 80
  • 8080
  • 443
Allow access to your ip address / port 3389
# sudo ufw allow from ###.###.###.### to any port 3389
Recheck ufw status
# ufw status verbose
The results should be similar to the following:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To                         Action      From --                         ------      ---- 22                         ALLOW IN    Anywhere 80                         ALLOW IN    Anywhere 8080                       ALLOW IN    Anywhere 443                        ALLOW IN    Anywhere
3389                       ALLOW IN    ###.###.###.### 22 (v6)                    ALLOW IN    Anywhere (v6) 80 (v6)                    ALLOW IN    Anywhere (v6) 8080 (v6)                  ALLOW IN    Anywhere (v6) 443 (v6)                   ALLOW IN    Anywhere (v6)

Set up user

Add a user

# adduser example_user

Add to sudo group (if new user needs root privileges)

# adduser example_user sudo
Exit then log-in with new credentials.

Secure SSH Log-in Using PuTTY

Enable firewall for ssh access

$ sudo ufw allow ssh

Configure the server

Backup the sshd_config file
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Edit the sshd_config file
$ sudo nano /etc/ssh/sshd_config
Uncomment the following lines (remove the leading #):

Port 22
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

Generate keys with PuTTYgen

  1. Go to Windows Start menu → All Programs → PuTTY→ PuTTYgen
  2. Generate a public/private key pair
    • Parameters (use defaults)
      • Type of key: RSA
      • bits: 2048
    • click Generate
      • Putty uses mouse movements for randomness
      • When key generation is complete enter a passphrase
      • Save public key
      • Save private key
  3. Install public key on server
    • In the users root directory create .ssh folder
      • $ mkdir ~/.ssh
    • Create a new file as follows:
      • $ nano ~/.ssh/authorized_keys
    • Copy/paste the public key created in step 2 in the new file.  The key must be all on one line.
    •  Save the file
  4. Exit

Disable "root" user

Edit the sshd_config file
$ sudo nano /etc/ssh/sshd_config
For security purposes, change PermitRootLogin to no.  Save file. Reboot.