US Tech Exit

Up next: More security

Obviously, just limiting who can log into the server is not enough, as we did in US Tech-exit – First steps: a server. As you can see from this blog, I am a bit ahead right now, and have already hardened the server. I am trying my best to mildly obsfuscate whatever I am doing (even if security by obscurity is not a good way to do it), but there are also things done that I have not gotten around to explaining yet.

Read more: Up next: More security

People who guess passwords wrong – Fail2Ban

First, we want to limit the number of people who have access, if they think they can brute force the server. The fail2ban program does exactly this, with exponentially increasing time to retry if you fail multiple authentications. Make sure that your login works already before doing this, as it can easily spin out of hand, when you are just figuring out the access.

This works pretty much out of the box, and is installed simply with

apt-get install fail2ban

If you want to modify some of the values, create the file /etc/fail2ban/jail.local, and add override values from /etc/fail2ban/jail.conf

Limiting the ports we allow

Most (including Hetzner) allows you to configure a Firewall that limits the traffic that comes towards your server. This is great, but since not all can use that, you can also use Ubuntus build in “uncomplicated firewall”. First, identify the ports we want to open (random non-22 port for SSH), 80 for HTTP (which will probably mainly server to redirect to HTTPS, and 443 for HTTPS, we can then run the following

ufw status #check that it is disabled
ufw default deny incoming
ufw default allow outgoing
ufw allow 12345/tcp #SSH
ufw allow 80/tcp #HTTP
ufw allow 443/tcp #HTTPS
ufw enable
ufw status #check that it is now enabled

This will conclude our initial security setup. Next up, we need something to easily host our blog, and all of the other stuff we want the company to host. For this, we start out with docker, using docker compose – since this will eventually lead to easier migration to an even larger setup, with multiple servers involved)

Posted

in

by

cbrams

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *