Linux Hardening
Setup SSH Keys
ssh-keygen -t rsa -b 4096 -C "xxx@yyy.com"
Edit sshd
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo vim /etc/ssh/sshd_config
Port 2222
ChallengeResponseAuthentication no
UsePAM no
PasswordAuthentication no
PermitRootLogin no
PermitRootLogin prohibit-passwordsudo systemctl reload sshd
UFW
sudo ufw allow 2222sudo ufw allow 80/tcpsudo ufw allow 443/tcpsudo ufw deny 22sudo ufw statussudo ufw reload
fail2ban / sshguard / crowdsec
sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2banlog all ssh commands
Add to /etc/bash.bashrc:
readonly PROMPT_COMMAND='history -a >(logger -t "commandlog $USER[$PWD] $SSH_CONNECTION")'
can configure syslog to forward logs elsewhere
Block Ping
sudo vim /etc/ufw/before.rulesAdd under # ok icmp codes for INPUT:
Add:
-A ufw-before-input -p icmp --icmp-type echo-request -j DROPsudo rebootCheck System
sudo ss -tulpn# From external computer
ping xx.xx.xx.xx -t