Hardening an Ubuntu Server
Quick steps to secure your node.
Thank you for your support and kind messages! It really energizes us to keep creating the best crypto guides. Use cointr.ee to find our donation addresses and share your message.
🙏
- Ubuntu Server or Ubuntu Desktop installed
- SSH server installed
- a SSH client or terminal window access
In case you need to install SSH server, refer to:
In case you need a SSH client for your operating system, refer to:
Make a habit of logging to your server using a non-root account. This will prevent the accidental deletion of files if you make a mistake. For instance, the command rm can wipe your entire server if run incorrectly using by a root user.
Tip: Do NOT routinely use the root account. Use
🔥
su
or sudo
, always.SSH to your server
Create a new user called cardano
useradd -m -s /bin/bash cardano
Set the password for cardano user
passwd cardano
Add cardano to the sudo group
usermod -aG sudo cardano
The basic rules of hardening SSH are:
- No password for SSH access (use private key)
- Don't allow root to SSH (the appropriate users should SSH in, then
su
orsudo
) - Use
sudo
for users so commands are logged - Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
- Lock down SSH to only the ip range your require (if you feel like it)
Create a new SSH key pair on your local machine. Run this on your local machine. You will be asked to type a file name in which to save the key. This will be your keyname.
ED25519
RSA
ssh-keygen -t ed25519
ssh-keygen -t rsa -b 4096
Transfer the public key to your remote node. Update the keyname.
ssh-copy-id -i $HOME/.ssh/<keyname>.pub [email protected]
Login with your new cardano user
Disable root login and password based login. Edit the
/etc/ssh/sshd_config file
sudo nano /etc/ssh/sshd_config
Locate PubkeyAuthentication and update to yes. Delete the #, if needed.
PubkeyAuthentication yes
Locate PasswordAuthentication and update to no
PasswordAuthentication no
Locate PermitRootLogin and update to prohibit-password
PermitRootLogin prohibit-password
Locate PermitEmptyPasswords and update to no
PermitEmptyPasswords no
Optional: Locate Port and customize it to your random port number.
Port <port number>
Validate the syntax of your new SSH configuration.
sudo sshd -t
If no errors with the syntax validation, restart the SSH process.
sudo systemctl restart sshd
Verify the login still works
Standard SSH Port 22
Custom SSH Port
ssh [email protected] -p <custom port number>
Alternatively, add the
-p <port#>
flag if you used a custom SSH port.ssh -i <path to your SSH_key_name.pub> [email protected]
Optional: Make logging in easier by updating your local ssh config.
To simplify the ssh command needed to log in to your server, consider updating your local
$HOME/.ssh/config
file:Host cardano-server
User cardano
HostName <server.public.ip.address>
Port <custom port number>
This will allow you to log in with
ssh cardano-server
rather than needing to pass through all ssh parameters explicitly.It's critically important to keep your system up-to-date with the latest patches to prevent intruders from accessing your system.
sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean
Enable automatic updates so you don't have to manually install them.
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
By default when enabled, the
unattended-upgrades
service only installs security updates automatically. For details on configuring unattended upgrades, see How to Setup & Configure Unattended Upgrades on Ubuntu 20.04, for example.System admins should not frequently log in as root in order to maintain server security. Instead, you can use sudo execute that require low-level privileges.
# To disable the root account, simply use the -l option.
sudo passwd -l root
# If for some valid reason you need to re-enable the account, simply use the -u option.
sudo passwd -u root
SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it’s recommended to add another security layer. Here comes the two factor authentication (2FA).
sudo apt install libpam-google-authenticator -y
To make SSH use the Google Authenticator PAM module, edit the
/etc/pam.d/sshd
file:sudo nano /etc/pam.d/sshd
Add the follow line:
auth required pam_google_authenticator.so
Now you need to restart the
sshd
daemon using:sudo systemctl restart sshd.service
Modify
/etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Locate ChallengeResponseAuthentication and update to yes
ChallengeResponseAuthentication yes
Locate UsePAM and update to yes
UsePAM yes
Save the file and exit.
Run the google-authenticator command.
google-authenticator
It will ask you a series of questions, here is a recommended configuration:
- Make tokens “time-base”": yes
- Update the
.google_authenticator
file: yes - Disallow multiple uses: yes
- Increase the original generation time limit: no
- Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.
Now, open Google Authenticator on your phone and add your secret key to make two factor authentication work.
Note: If you are enabling 2FA on a remote machine that you access over SSH you need to follow steps 2 and 3 of this tutorial to make 2FA work.
One of the first things you should do is secure the shared memory used on the system. If you're unaware, shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory.
One exceptional case
There may be a reason for you needing to have that memory space mounted in read/write mode (such as a specific server application like **Chrome **that requires such access to the shared memory or standard applications like Google Chrome). In this case, use the following line for the fstab file with instructions below.
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
The above line will mount the shared memory with read/write access but without permission to execute programs, change the UID of running programs, or to create block or character devices in the namespace. This a net security improvement over default settings.
Use with caution
With some trial and error, you may discover some applications(like Chrome) do not work with shared memory in read-only mode. For the highest security and if compatible with your applications, it is a worthwhile endeavor to implement this secure shared memory setting.
Edit
/etc/fstab
sudo nano /etc/fstab
Insert the following line to the bottom of the file and save/close.
tmpfs /run/shm tmpfs ro,noexec,nosuid 0 0
Reboot the node in order for changes to take effect.
sudo reboot