Securing your server with ssh public-key, ufw and crowdsec.
If you don’t have a server, i recommend Hetzner or Netcup as Hoster. They are both cheapt but rock solid. I use Ubuntu on Server and Local, but every other Debian Distro will probably work aswell.
- Allow ssh with public key only
Check if that you can login without providing your
password as otherwise you lock yourself out.
If not: copy your ssh public key to your server ssh-copy-id -i ~/.ssh/id_rsa.pub your_username@your_server_ip
and recheck afterwards !!
Then disable ssh per passwordsudo no /etc/ssh/sshd_config.d/disable_pw_login.conf
And add the following lines to this file:
ChallengeResponseAuthentication no PasswordAuthentication no
at the End restart ssh/etc/init.d/ssh reload
if this does not work open /etc/ssh/sshd_config and check that the above lines does not appear in this file aswell. If they do delete or comment them there
2. Enable a Firewall ->Setup ufw
You now should install a firefall so that only the connections allowed that you need. apt install ufw
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
the take a look at your rulesufw show added
and check carefully of your ssh port is enabled as otherwise your block yourself out. then start ufw:sudo ufw enable
3. Install Crowdsec
You already hardened your server, but you still have nothing which informs you of Attacks take actions automaticly. So we choose crowdsec for that.
First install it
curl -s https://install.crowdsec.net | sudo sh sudo apt update && sudo apt install crowdsec sudo apt install crowdsec-firewall-bouncer-iptables
take a look if it worked out:sudo cscli collections list
sudo cscli bouncers list
the first line should show around 5 collections
the second line should show 1 Bouncer (Remediation Component)
Than connect your server to the crowdsec web console: Had over to app.crowdsec.net in you browser. There you find information how to connect the web console to your server
Now your server is secured and you can start using it.
