Secure SSH login Link to heading

Switch from password to public key authentication Link to heading

Prerequisite: a key-pair (use ssh-keygen to create one if necessary), for this example id_vps.pub

  1. Copy public key to server with ssh-copy-id -i id_vps.pub user@123.45.678.9

  2. Test connection via puplic key authentication: ssh user@123.45.678.9 -i ~/.ssh/id_vps

  3. Disable password authentication in the configuration

    • Make sure in /etc/ssh/sshd_config PasswordAuthentication no is set
    • Additionally see if other configuration files are included which potentially can overwrite parameters

  4. Restart the ssh daemon: sudo service ssh restart

  5. Test connection via password does not work

Prevent Brute-Force attacks Link to heading

Fail2ban Link to heading

https://github.com/fail2ban/fail2ban/wiki/How-to-install-fail2ban-packages

Installation Link to heading
# on Ubuntu
sudo apt update
sudo apt install fail2ban
(Auto)Start Link to heading
sudo systemctl start fail2ban
# enable start with system:
sudo systemctl enable fail2ban
Configuration Link to heading

The default configuration is stored at /etc/fail2ban/jail.conf and can be overwritten by a /etc/fail2ban/jail.local configuration, e.g. increasing the default bantime:

[DEFAULT]
bantime = 2h

Restart fail2ban to load configuration: systemctl restart fail2ban

Checking status/logs Link to heading
# checking current jails
fail2ban-client status

# checking logs
less /var/log/fail2ban.log

Source: IONOS Guide (German)

Security updates Link to heading

unattended-upgrades Link to heading

  1. Installation

    sudo apt install unattended-upgrades

  2. Check in the configuration if security updates are not commented out

    • main config: /etc/apt/apt.conf.d/50unattended-upgrades
    • auto-upgrade config: cat /etc/apt/apt.conf.d/20auto-upgrades

  3. Check general setup

    1. check config contains APT::Periodic::Unattended-Upgrade "1";
    2. check /etc/apt/apt.conf.d/50unattended-upgrades shows allowed origins
    3. check systemctl status apt-daily-upgrade.timer shows something like Active: active (waiting)
    4. check logs e.g. with journalctl -u unattended-upgrades.serviceif it has been executed

Optional: Allow updates also for packages from foreign sources

Docker Link to heading

Follow installation instructions: https://docs.docker.com/engine/install/