Hardening an Ubuntu Server
Quick steps to secure your node.
- Ubuntu Server or Ubuntu Desktop installed
- SSH server installed
- a SSH client or terminal window access
In case you need to install SSH server, refer to:
In case you need a SSH client for your operating system, refer to:
SSH to your server
Create a new user called cardano
useradd -m -s /bin/bash cardano
Set the password for cardano user
Add cardano to the sudo group
usermod -aG sudo cardano
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
ssh-keygen -t ed25519
ssh-keygen -t rsa -b 4096
Transfer the public key to your remote node. Update the keyname.
Login with your new cardano user
Disable root login and password based login. Edit the
sudo nano /etc/ssh/sshd_config
Locate PubkeyAuthentication and update to yes. Delete the #, if needed.
Locate PasswordAuthentication and update to no
Locate PermitRootLogin and update to prohibit-password
Locate PermitEmptyPasswords and update to no
Optional: Locate Port and customize it to your random port number.
Port <port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, restart the SSH process.
sudo systemctl restart sshd
Verify the login still works
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local
Port <custom port number>
This will allow you to log in with
ssh cardano-serverrather than needing to pass through all ssh parameters explicitly.
sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean
Enable automatic updates so you don't have to manually install them.
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges.
# To disable the root account, simply use the -l option.
sudo passwd -l root
# If for some valid reason you need to re-enable the account, simply use the -u option.
sudo passwd -u root
sudo apt install libpam-google-authenticator -y
To make SSH use the Google Authenticator PAM module, edit the
sudo nano /etc/pam.d/sshd
Add the follow line:
auth required pam_google_authenticator.so
Now you need to restart the
sudo systemctl restart sshd.service
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
Locate UsePAM and update to yes
Save the file and exit.
Run the google-authenticator command.
It will ask you a series of questions, here is a recommended configuration:
- Make tokens “time-base”": yes
- Update the
- Disallow multiple uses: yes
- Increase the original generation time limit: no
- Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
sudo nano /etc/fstab
Insert the following line to the bottom of the file and save/close.
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
Reboot the node in order for changes to take effect.