<

Linux Server Project


Due to new material from an anonymous contributor, this tutorial will be expanded and updated in the future


I have recently started to play around with virtualised (QEMU) Linux servers - currently my server (located at the wonderful EDIS company) hosts a small teamspeak 3 server and this web page - I will try and add more services soon (currently thinking about a VPN service).

Below, I want to list some basic points one might consider while setting up a Linux server, including some pages that have helped me tremendously while configuring the server. Today, I'll start with SSH security.

I. Securing SSH



The first thing you want to do is making it harder for attackers to get into your server - Don't take this warning lightly, just days after I set up this server, I noticed thousands of attempts from IPs from the US, Russia and China brute-forcing their way into my server with password lists. If you use a secure password (ie. not root, toor, password, or something likewise) this should not pose a problem, but

- using a different port than 22
- disabling password authentication alltogether

is a better way of dealing with those sneaky hackers.

Use a public/private key authentication (I recommend RSA) instead of a user/pass combination - it is easy to do with openSSH and makes it virtually impossible to penetrate your ssh shell. This means that a public key is placed on the server and a private key is placed on your local workstation. All traffic is then encrypted with these keys, so nobody can sniff your traffic and perform MitM attacks.

1. Generate a key pair


I use the popular puttyGEN tool for this as my client OS (sadly) still is Windows:

- If needed, download PuTTYgen from the PuTTY download page.
(PuTTYgen might have been installed previously with PuTTY or WinSCP.)
- Launch the program, and then click the Generate button.
- The program generates the keys for you.
- Save the public and private keys by clicking the Save public key and Save private key buttons.
From the Public key for pasting into OpenSSH authorized_keys file field at the top of the window, copy all the text (starting with ssh-rsa) to your clipboard by pressing Ctrl-C.
You need the this key available on your clipboard to paste into the authorized keys on your cloud server.

To make use of your newly generated RSA key pair, you must tell both PuTTY and the remote openSSH service to use it.

- To edit the file (and if necessary, create it), run the following command:
nano ~/.ssh/authorized_keys
The key and its associated text (the ssh-rsa identified at the start and the comment at the end) should all be on one line in the file. If the text is word-wrapped onto multiple lines an error might occur when connecting.
- Paste the text and save the file.

- If you created the authorized_keys file, change its permissions after you're done editing it by running the following command:
chmod 600 ~/.ssh/authorized_keys

- Open PuTTY and go to the SSH > Auth section.
Browse to the location of the private key file and load the private key.

To make PuTTY use the key every time that you connect to your Cloud Server, save the configuration by going to the Session page and saving the session.

After you save your session, your key is loaded automatically whe you connect to your Cloud Server.

2. Reconfigure your sshd service


You will need to edit /etc/ssh/sshd_config

First of all, change the default port to an unused port (if you have a firewall like ip-tables, make sure you reconfigure it before restarting the sshd service, or you'll lock yourself out!):
# What ports, IPs and protocols we listen for
Port 50683

just an example port...

Then introduce the pubkey authentication method:

# Both of these are probably already there, but commented out
PubkeyAuthentication yes
# The next line makes sure that sshd will look in
# $HOME/.ssh/authorized_keys for public keys
AuthorizedKeysFile %h/.ssh/authorized_keys


Additionally, if you want to disable password authentication alltogether (which is usually a good idea, if you use keypairs), add the following:

# Again, this rule is already there, but usually defaults to 'yes'
PasswordAuthentication no


If you disable the PasswordAuthentication, Double-check that everything up to this point was done correctly - you might lock yourself out of the ssh shell otherwise!!!

After that, restart ssh by issueing sudo service ssh restart

The above assumes you have already properly created the .ssh dir with the proper permissions.

This means you set chmod 0700 to ~/.ssh.

If the read permissions of the folder or key files are too lenient, ssh refuses to use them due to security risks and you end up with no keys to use.

II. Configuring a firewall (iptables)



To be added soon. ;-)

ABOUT


Hi!
My name is Flora Feldner and I am currently studying Audio, Acoustics and Electronics Engineering (Tontechnik) at the University of Performing Arts Graz and the Graz University of Technology. I have received my BSc degree in Information and Computer Engineering from the latter university in 2018.

I have decided to create a private web page for myself, where I can share both university and private material, such as personal projects, the music I create in my spare time, and, of course, some recipes I improved or came up with.