ListenAddress
You should avoid running commands as root whenever possible. Instead, it's recommended to use a non-root user with sudo privileges. This can help protect your system from accidental damage or security vulnerabilities.
Here's how you can create a new user and give it sudo privileges. Replace username with your desired username:
Create a new user:
sudo adduser username
You'll be asked to set a password and provide some optional user information.
Add the new user to the sudo group:
sudo usermod -aG sudo username
To switch to the new user, use the su command:
su - username
Now, you can run commands with sudo privileges. For example:
sudo apt update
You'll be prompted to enter the password of your user account when using sudo for the first time in a session. After that, you can use sudo without entering the password for a while.
So for the steps in the initial setup, you can replace sudo with sudo -u username to run the command as the new user with sudo privileges. Or, if you're already logged in as the new user, you can simply use sudo before your command.
For example:
sudo -u username apt update
or
sudo apt update
Depending on the exact command and the permissions it requires, you might need to adjust how you use sudo. For some commands, such as installing system-wide packages with apt, using sudo is appropriate. For others, especially those that deal with user-specific files or directories, you might need to run the command as your user without sudo.
In ALMALINUX
In AlmaLinux (and CentOS/RHEL which it's based on), the group that's typically used for granting sudo privileges is called
wheel, not
sudo (as you might find on some other distributions like Ubuntu).
To add the user
gio to the
wheel group, you would use:
sudo usermod -aG wheel gio
After doing this, you can check if the user has been added to the
wheel group with:
groups gio
This will list all the groups the
gio user is a member of. You should see
wheel in the list.
Also, ensure that members of the
wheel group are allowed to execute sudo commands. This is usually enabled by default in the sudoers file, but it's good to double-check. You can inspect the sudoers file using:
sudo visudo
Look for a line like:
%wheel ALL=(ALL) ALL
This line allows members of the
wheel group to execute all commands using sudo. If it's commented out (i.e., starts with a
#), you'll need to uncomment it to grant sudo privileges to members of the
wheel group.
Updating your system
Developers of distributions and operating systems offer frequent software package updates, very often for security reasons. Ensuring that your distribution or operating system is updated is a key point for securing your server.
This update will take place in two steps:
- Updating the package list
sudo apt update
Copy
- Updating the actual packages
sudo apt upgrade
Copy
This operation needs to be performed regularly to keep a system up-to-date.
Changing the default SSH listening port
One of the first things to do on your server is configuring the SSH service's listening port. It is set to port 22 by default, therefore server hacking attempts by robots will target this port. Modifying this setting by using a different port is a simple measure to harden your server against automated attacks.
To do this, modify the service configuration file with a text editor of your choice (nano used in this example):
sudo nano /etc/ssh/sshd_config
Copy
Find the following or similar lines:
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
Copy
Replace the number 22 with the port number of your choice. Please do not enter a port number already used on your system. To be safe, use a number between 49152 and 65535.
Save and exit the configuration file.
If the line is "commented out" (i.e. if it is preceded by a "#") as shown in the example above, make sure to remove the "#" before saving the file so that the change takes effect. Example:
Port 49152
#AddressFamily any
#ListenAddress 0.0.0.0
Copy
Restart the service:
sudo systemctl restart sshd
Copy
This should be sufficient to apply the changes. Alternatively, reboot the server (sudo reboot).
For Ubuntu 23.04 and later
For the latest Ubuntu versions, the SSH configuration is now managed in the ssh.socket file.
To update the SSH port, edit the Listenstream line in the configuration file with a text editor of your choice (nano used in this example):
sudo nano /lib/systemd/system/ssh.socket
Copy
[Socket] ListenStream=49152 Accept=no
Copy
Save your changes and run the following commands:
sudo systemctl daemon-reload
Copy
sudo systemctl restart ssh.service
Copy
If you have enabled your operating system's firewall, make sure you allow the new port in your firewall rules.
Remember that you will have to indicate the new port any time you establish an SSH connection to your server:
ssh username@IPv4_server -p NewPortNumber
Copy
Example:
ssh ubuntu@203.0.113.100 -p 49152
Proxmox Container (Debian12)
Update the ssh.socket
## Check if Socket is running
sudo cat ssh.socket
## Update the socket to desired port?
sudo nano /lib/systemd/system/ssh.socket
## Reload and Check Status
sudo systemctl daemon-reload
sudo systemctl restart sshd
sudo systemctl status sshd
Installing Fail2ban
Fail2ban is an intrusion prevention software framework designed to block IP addresses from which bots or attackers try to penetrate your system. This software package is recommended, even essential in some cases, to guard your server against "Brute Force" or "Denial of Service" attacks.
To install the software package, use the following command:
sudo apt install fail2ban
Copy
You can customise the Fail2ban configuration files to protect services that are exposed to the public Internet from repeated login attempts.
As recommended by Fail2ban, create a local configuration file for your services by copying the "jail" file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Copy
Then open the file with a text editor:
sudo nano /etc/fail2ban/jail.local
Copy
Be certain to read the information at the top of the file, especially the comments under [DEFAULT].
The [DEFAULT] settings are global and will therefore be applied to all services that are set to enabled in this file.
It is important to know that the global settings will be taken into account only if there are no differing values set in the services sections (JAILS) further below in the file.
CTRL-W sshd - where to enter
sudo nano /etc/ssh/sshd_config
Uncomment and set the logging options: Find the following lines and uncomment them by removing the # at the beginning. Also, set the SyslogFacility and LogLevel as shown below:
SyslogFacility AUTH LogLevel INFO
danny@studentdev2:~$ sudo nano /etc/rsyslog.conf
danny@studentdev2:~$ sudo touch /var/log/auth.log
danny@studentdev2:~$ sudo chmod 640 /var/log/auth.log
danny@studentdev2:~$ sudo chown root:adm /var/log/auth.log
For example, consider these lines under [DEFAULT]:
bantime = 10m
maxretry = 5
enabled = false
Copy
This means that an IP address from which a host tries to connect will be blocked for ten minutes after the fifth unsuccessful login attempt.
However, all settings specified by [DEFAULT] and in subsequent sections stay disabled unless the line enabled = true is added for a service (listed below # JAILS).
As an example of usage, having the following lines in the section [sshd] will activate restrictions only for the OpenSSH service:
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
findtime = 5m
bantime = 30m
Copy
In this example, any SSH login attempt that fails three times within five minutes will result in an IP ban period of 30 minutes.
You can replace "ssh" with the actual port number in case you have changed it.
The best practice approach is to enable Fail2ban only for the services that are actually running on the server. Each customised setting added under # JAILS will then be prioritised over the defaults.
Once you have completed your changes, save the file and close the editor.
Restart the service to make sure it runs with the customisations applied:
sudo service fail2ban restart
Copy
Fail2ban has many settings and filters for customisation as well as preset options, for example when you want to add a layer of protection to an Nginx web server.
For any additional information and recommendations concerning Fail2ban, please refer to the official documentation of this tool.