Linode/Setup: Difference between revisions

From neuromatch
(Created page with "Assuming you have made a Linode with Debian 11 == User accounts == * Make user accounts: <syntaxhighlight lang="bash"> adduser \ --system \ --shell /bin/bash \ --gecos 'User Description If u want' \ --group \ --home /home/USERNAME \ USERNAME </syntaxhighlight> * Add user to <code>sudo</code> group (if needed) <syntaxhighlight lang="bash"> usermod -aG sudo USERNAME </syntaxhighlight> == Security == === Install RSA Keys === === Configure s...")
 
(Removing a user from sudo group and removing an authorized key)
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Assuming you have made a [[Linode]] with [[Debian]] 11
Assuming you have made a [[Linode]] with [[Debian]] 11.


== User accounts ==
== User accounts ==


* Make user accounts:
* Make user accounts. (You can do this as many times as you want to add more users.)


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 21: Line 21:
</syntaxhighlight>
</syntaxhighlight>


== Security ==
* To remove a user from <code>sudo</code> group


=== Install RSA Keys ===
<syntaxhighlight lang="bash">
sudo gpasswd -d USERNAME sudo
</syntaxhighlight>
 
Also, to remove their ability to ssh as root, remove their public key from <code>.ssh/authorized_keys</code>
 
== Security (only need to do this at setup) ==
 
=== Add cryptographic public keys for user authentication ===
 
* RSA keys (has known vulnerabilities)
* [https://www.unixtutorial.org/how-to-generate-ed25519-ssh-key/ ed25519 keys] (better alternative: faster, more secure, resilient against hash-function collision attacks, shorter)


=== Configure sshd ===
=== Configure sshd ===
Line 29: Line 40:
* Disable password login
* Disable password login
* Disable root login
* Disable root login
* Restart ssh otherwise the changes to sshd don't take effect!<syntaxhighlight lang="bash">
service ssh restart
</syntaxhighlight>
=== [[Fail2Ban]] ===
==== Install ====
<pre>
apt install fail2ban
</pre>
==== Configuration ====
Editing <code>/etc/fail2ban/jail.local</code>, using the defaults from [[Mastodon/Setup]]
<syntaxhighlight lang="toml">
[DEFAULT]
destemail = your@email.here
sendername = Fail2Ban
[sshd]
enabled = true
port = 22
[sshd-ddos]
enabled = true
port = 22
</syntaxhighlight>
Then restart the service
<pre>
systemctl restart fail2ban
</pre>
=== IPTables ===
Again following [[Mastodon/Setup]]
==== Install ====
<pre>
apt install -y iptables-persistent
</pre>
Decline the dialog asking if you want to preserve existing iptables configs (if you say yes then the commands below will fail for some reason)
==== Configuration ====
* '''IPv4:''' Edit <code>/etc/iptables/rules.v4</code>
<pre>
*filter
#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow destination unreachable messages, espacally code 4 (fragmentation required) is required or PMTUD breaks
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
</pre>
* '''IPv6:''' Edit <code>/etc/iptables/rules.v6</code>
<pre>
*filter
#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d ::1/128 -j REJECT
#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#  Allow ping
-A INPUT -p icmpv6 -j ACCEPT
#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
</pre>
Then reload the rules:
<syntaxhighlight lang="bash">
iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6
</syntaxhighlight>

Latest revision as of 22:56, 8 October 2023

Assuming you have made a Linode with Debian 11.

User accounts

  • Make user accounts. (You can do this as many times as you want to add more users.)
adduser \
   --system \
   --shell /bin/bash \
   --gecos 'User Description If u want' \
   --group \
   --home /home/USERNAME \
   USERNAME
  • Add user to sudo group (if needed)
usermod -aG sudo USERNAME
  • To remove a user from sudo group
sudo gpasswd -d USERNAME sudo

Also, to remove their ability to ssh as root, remove their public key from .ssh/authorized_keys

Security (only need to do this at setup)

Add cryptographic public keys for user authentication

  • RSA keys (has known vulnerabilities)
  • ed25519 keys (better alternative: faster, more secure, resilient against hash-function collision attacks, shorter)

Configure sshd

  • Disable password login
  • Disable root login
  • Restart ssh otherwise the changes to sshd don't take effect!
    service ssh restart
    

Fail2Ban

Install

apt install fail2ban

Configuration

Editing /etc/fail2ban/jail.local, using the defaults from Mastodon/Setup

[DEFAULT]
destemail = your@email.here
sendername = Fail2Ban

[sshd]
enabled = true
port = 22

[sshd-ddos]
enabled = true
port = 22

Then restart the service

systemctl restart fail2ban

IPTables

Again following Mastodon/Setup

Install

apt install -y iptables-persistent

Decline the dialog asking if you want to preserve existing iptables configs (if you say yes then the commands below will fail for some reason)

Configuration

  • IPv4: Edit /etc/iptables/rules.v4
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow destination unreachable messages, espacally code 4 (fragmentation required) is required or PMTUD breaks
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
  • IPv6: Edit /etc/iptables/rules.v6
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d ::1/128 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmpv6 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Then reload the rules:

iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6