Port

  • More
Followers
Empty
Added a class   to  , Port

You should avoid running commands as root whenever possible. Instead, it's recommended to use a non-root user with sudo privileges. This can help protect your system from accidental damage or security vulnerabilities.

Here's how you can create a new user and give it sudo privileges. Replace username with your desired username:

Create a new user:

sudo adduser username

You'll be asked to set a password and provide some optional user information.

Add the new user to the sudo group:

sudo usermod -aG sudo username

To switch to the new user, use the su command:

su - username

Now, you can run commands with sudo privileges. For example:

sudo apt update

You'll be prompted to enter the password of your user account when using sudo for the first time in a session. After that, you can use sudo without entering the password for a while.

So for the steps in the initial setup, you can replace sudo with sudo -u username to run the command as the new user with sudo privileges. Or, if you're already logged in as the new user, you can simply use sudo before your command.

For example:

sudo -u username apt update

or

sudo apt update

Depending on the exact command and the permissions it requires, you might need to adjust how you use sudo. For some commands, such as installing system-wide packages with apt, using sudo is appropriate. For others, especially those that deal with user-specific files or directories, you might need to run the command as your user without sudo.

In ALMALINUX

In AlmaLinux (and CentOS/RHEL which it's based on), the group that's typically used for granting sudo privileges is called

wheel, not

sudo (as you might find on some other distributions like Ubuntu).

To add the user

gio to the

wheel group, you would use:

sudo usermod -aG wheel gio

After doing this, you can check if the user has been added to the

wheel group with:

groups gio

This will list all the groups the

gio user is a member of. You should see

wheel in the list.

Also, ensure that members of the

wheel group are allowed to execute sudo commands. This is usually enabled by default in the sudoers file, but it's good to double-check. You can inspect the sudoers file using:

sudo visudo

Look for a line like:

%wheel  ALL=(ALL)       ALL

This line allows members of the

wheel group to execute all commands using sudo. If it's commented out (i.e., starts with a

#), you'll need to uncomment it to grant sudo privileges to members of the

wheel group.

Updating your system

Developers of distributions and operating systems offer frequent software package updates, very often for security reasons. Ensuring that your distribution or operating system is updated is a key point for securing your server.

This update will take place in two steps:

  • Updating the package list
sudo apt update

Copy

  • Updating the actual packages
sudo apt upgrade

Copy

This operation needs to be performed regularly to keep a system up-to-date.

Changing the default SSH listening port

One of the first things to do on your server is configuring the SSH service's listening port. It is set to port 22 by default, therefore server hacking attempts by robots will target this port. Modifying this setting by using a different port is a simple measure to harden your server against automated attacks.

To do this, modify the service configuration file with a text editor of your choice (nano used in this example):

sudo nano /etc/ssh/sshd_config

Copy

Find the following or similar lines:

 22
 any
 0.0.0.0

Copy

Replace the number 22 with the port number of your choice. Please do not enter a port number already used on your system. To be safe, use a number between 49152 and 65535.

Save and exit the configuration file.

If the line is "commented out" (i.e. if it is preceded by a "#") as shown in the example above, make sure to remove the "#" before saving the file so that the change takes effect. Example:

Port 49152
 any
 0.0.0.0

Copy

Restart the service:

sudo systemctl restart sshd

Copy

This should be sufficient to apply the changes. Alternatively, reboot the server (sudo reboot).

For Ubuntu 23.04 and later

For the latest Ubuntu versions, the SSH configuration is now managed in the ssh.socket file.

To update the SSH port, edit the Listenstream line in the configuration file with a text editor of your choice (nano used in this example):

sudo nano /lib/systemd/system/ssh.socket

Copy

[Socket]
ListenStream=49152
Accept=no

Copy

Save your changes and run the following commands:

sudo systemctl daemon-reload

Copy

sudo systemctl restart ssh.service

Copy

If you have enabled your operating system's firewall, make sure you allow the new port in your firewall rules.

Remember that you will have to indicate the new port any time you establish an SSH connection to your server:

ssh username@IPv4_server -p NewPortNumber

Copy

Example:

ssh ubuntu@203.0.113.100 -p 49152

Proxmox Container (Debian12)

Update the ssh.socket

## Check if Socket is running
sudo cat ssh.socket

## Update the socket to desired port?
sudo nano /lib/systemd/system/ssh.socket

## Reload and Check Status
sudo systemctl daemon-reload
sudo systemctl restart sshd
sudo systemctl status sshd

Installing Fail2ban

Fail2ban is an intrusion prevention software framework designed to block IP addresses from which bots or attackers try to penetrate your system. This software package is recommended, even essential in some cases, to guard your server against "Brute Force" or "Denial of Service" attacks.

To install the software package, use the following command:

sudo apt install fail2ban

Copy

You can customise the Fail2ban configuration files to protect services that are exposed to the public Internet from repeated login attempts.

As recommended by Fail2ban, create a local configuration file for your services by copying the "jail" file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Copy

Then open the file with a text editor:

sudo nano /etc/fail2ban/jail.local

Copy

Be certain to read the information at the top of the file, especially the comments under [DEFAULT].

The [DEFAULT] settings are global and will therefore be applied to all services that are set to enabled in this file.

It is important to know that the global settings will be taken into account only if there are no differing values set in the services sections (JAILS) further below in the file.

CTRL-W sshd - where to enter 
sudo nano /etc/ssh/sshd_config

Uncomment and set the logging options: Find the following lines and uncomment them by removing the # at the beginning. Also, set the SyslogFacility and LogLevel as shown below:

SyslogFacility AUTH
LogLevel INFO
danny@studentdev2:~$ sudo nano /etc/rsyslog.conf
danny@studentdev2:~$ sudo touch /var/log/auth.log
danny@studentdev2:~$ sudo chmod 640 /var/log/auth.log
danny@studentdev2:~$ sudo chown root:adm /var/log/auth.log

For example, consider these lines under [DEFAULT]:

bantime = 10m
maxretry = 5
enabled = false

Copy

This means that an IP address from which a host tries to connect will be blocked for ten minutes after the fifth unsuccessful login attempt.

However, all settings specified by [DEFAULT] and in subsequent sections stay disabled unless the line enabled = true is added for a service (listed below # JAILS).

As an example of usage, having the following lines in the section [sshd] will activate restrictions only for the OpenSSH service:

[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
findtime = 5m
bantime  = 30m

Copy

In this example, any SSH login attempt that fails three times within five minutes will result in an IP ban period of 30 minutes.

You can replace "ssh" with the actual port number in case you have changed it.

The best practice approach is to enable Fail2ban only for the services that are actually running on the server. Each customised setting added under # JAILS will then be prioritised over the defaults.

Once you have completed your changes, save the file and close the editor.

Restart the service to make sure it runs with the customisations applied:

sudo service fail2ban restart

Copy

Fail2ban has many settings and filters for customisation as well as preset options, for example when you want to add a layer of protection to an Nginx web server.

For any additional information and recommendations concerning Fail2ban, please refer to the official documentation of this tool.

Add new...
 
 

IMREAL.LIFE

Close