How to Secure a Linux Server with UFW, SSH Keygen, fail2ban & Two Factor Authentication

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up guys roman here from tech guides and in today's video i'm going to explain how to secure a linux home server now this is going to be the third video of my ultimate how to set up and install a home server tutorial series and securing your server should definitely be one of the first steps when you get a home server up and running now in today's tutorial i will primarily focus on getting the ssh aspect of your home server secured so i will first show you how to change the port number through which ssh is connecting to your server how to install ufw to get some basic firewall functionality up and running on your server how to use key based ssh authentication how to install and configure fail to ban and then finally as a bit of an extra i'm also going to show you how to set up two-factor authentication for your ssh connection now since today's video includes an incredible amount of commands that you have to enter in the command line i would highly recommend you to go over to my blog techguys.yt forward slash secure linux server where you can find all commands discussed in this video so you can simply copy paste them onto your server short disclaimer i am by no means an id security expert so take this tutorial as kind of a starting point to getting your home server more secure but definitely look up other tutorials on youtube or on google that should definitely help you make your home server even more secure but before we gonna jump right into today's tutorial i'd like to give a short shout out to my friends over at ipvanish now if you're building your own home server then i suppose you're a rather privacy sensitive person and therefore you probably don't want governments or other people to snoop around in your personal data now besides having a home server you should definitely also consider increasing your online privacy by using a vpn or a virtual private network ipvanish provides absolutely fantastic vpn service with blazingly fast connection speeds more than 1 500 servers in 75 locations and allows you to connect to their vpn servers with as many devices as you'd like currently ipvenish is running a limited time offer where you can get their 1-year plan for only 50. also if you don't like their service you can get all your money back within 30 days so if you also want to take back control over your internet security and additionally at the same time help supporting my channel then check out ipvanish by going to techguides.yt ipvanish and with that let's hop right into today's tutorial now the first step in hardening your linux server should definitely be to change the port used to ssh onto your server now from my experience as soon as i opened up my server to the outside world i constantly got connection attempts onto my ssh server so by simply changing the ssh port to something else than the regular 22 i could dramatically decrease the number of malicious connection attempts onto my home server to do so log into your home server using ssh and edit the etc ssh sshd underscore config file make sure to edit it using sudo now in this file you can see that you can specify the port that the ssh demon should listen to now something interesting about port numbers that i've only learned when researching for this video is that any port number below 1024 can only be opened up by a process that has rude privileges therefore some people say that using a port above 1025 should also be considered unsafe since basically any application running on your home server could potentially open up that port as well and kind of mimic an ssh daemon however i don't really think that's such a big deal but i guess better be safe than sorry and select some port number like this obviously don't select this one just select any port number below 1024. now save the file by pressing ctrl x and y and restart the ssh service by typing in sudo service sshd restart now if you want to connect onto your home server you can no longer simply ssh onto your home server using the regular ssh username and the ip address because ssh is trying to attempt to connect to the server using port 22. to change this simply specify a dash p with the number of the port that you've changed and as you can see you can now successfully connect onto your home server using a different port additionally you should also remember to port forward this new port to your home server in your router configuration if you want to remotely ssh onto your home server finally a short trick that allows you to not always having to specify this entire phrase to connect onto your home server is to actually specify an alias to do so open the bashrc file on your local machine go all the way to the bottom and create an alias by typing in alias followed by a name for example i'm connecting to my raspberry pi so i'm going to type in pi equals and in quotation marks ssh dash p the port that you've specified your username and the local ip address of your home server save the file by pressing ctrl x y and enter and reload this file by typing source dot bash rc now you can simply type in p or whichever name you've given the alias and you can connect onto your home server the next step that anybody running a home server should take towards more security is to enable some sort of firewall now i personally prefer to use ufw or uncomplicated firewall on ubuntu obviously all of the things you're doing with ufw you could also do with ip tables however i feel like ufw is just so easy to use and straightforward to apply that i would recommend to anybody looking at securing their home server for the first time now if you're also running ubuntu then ufw is already coming pre-installed in order to check if you have installed ufw type sudo ufw status and see if you get some response if you don't have ufw installed you can simply type sudo apt install ufw now the first thing you want to do is to tell ufw to block all incoming connections by typing sudo ufw default deny incoming next you also want to allow all outgoing connections so type in sudo ufw default allow outgoing next we have to add another rule that allows connection through ssh using the port that we specified in the last stamp to do so type in sudo ufw allow the port number that you specified slash tcp since we only need to allow the tcp protocol on port 456 when trying to connect using ssh and let's add a command for example ssh finally if you're also running a web server on your home server then you probably also want to type sudo ufw allow http and finally also sudo ufw allow https now i would actually always recommend to use ssl for all of your websites even if you're running them on your home server i actually have a video on the topic you can find in the card right now so if you've already set up your web server to use https only then you don't need to allow http or port 80 through your firewall finally type in sudo ufw enable and make sure that you've actually specified the correct port here otherwise you're gonna lock yourself out of your own server if you did so type y and as you can see the firewall is now active and will be enabled on every system startup if you type sudo ufw status you can get more information on which ports are currently opened and allowed through your firewall now if you've accidentally added a wrong rule to ufw you can simply type in sudo ufw status numbered and then delete any wrong rules by typing sudo ufw delete followed by the rule number so let's delete port 80 both for ipv6 and ipv4 now if you did so make sure to type sudo ufw reload in order to reload the new ufw rules and by typing sudo ufw status you can verify that everything is now set up properly finally an additional layer of security can be gained by additionally blocking ping requests onto your home server this is actually very convenient if you don't want anybody to actually know that you're running an ssh or home server behind a certain ip address to change this again use nano to edit the etc ufw before rules file and under icmp codes for input make sure to set the echo request to drop save the file by pressing control x y and enter and reload your ufw firewall now up until this point you've connected to your home server over ssh using a plain old password now from modern standards this is no longer considered safe as the password can either be locked on your computer that you're entering it or could even be intercepted by a man in the middle attack therefore i would highly recommend anybody who wants to access their home server remotely over ssh to use key based authentication now using keybased authentication is not only more secure than using a password it's also much more easy to use since you no longer have to enter a password whenever you connect to your server now the way this works is also super straightforward on your client machine which you're using to access your home server you generate a key which has two parts a private and a public key the public key is then transferred onto your home server which is used to verify connection attempts over ssh such that only people that hold the private key that you generated on your client can actually connect to your home server basically a key can be generated on your client machine by typing in ssh keygen however i would highly recommend to modify the regular key that is generated here so first specify that we want to create an rsa key with a length of 4096 bits now the bit length of 4096 makes it basically impossible to brute force this rsa key finally i also always like to add a comment for example the name of this client so let's call this speed main to make sure that i can distinguish between different keys on my server now this will generate a public and private rsa key pair that will be saved into the ssh folder in my home directory press enter if you really want to be super secure then you should definitely specify a passphrase here but because i like to use the google authenticator which i'm going to discuss in the fifth step of today's video i simply like to use no password at all and that is it you have successfully created your rsa key next establish a connection onto your home server and generate the.ssh folder in your home directory back on your client copy the public key onto your server by typing in scp dash column p specify the custom port that you use to ssh onto your server followed by the location of your public key which you want to copy onto our server so user name add local ip address of your home server column your home directory dot ssh and make sure to actually copy the public key into the file called authorized keys now if you already have the authorized keys file on your home server then what you basically can do is to simply do a cut on your public key copy the key go back onto your home server and edit the authorized keys file basically simply pasting that key on a new line and with having done that you can now check if ssh is using key based authentication by simply trying to log on to your server and if you no longer need to enter a password you know that the keys successfully work now in the next step i'm going to show you how to only connect to your ssh server using key based authentication note that you should only proceed if everything up on this point has worked properly so to only allow key based authentication edit the etc ssh sshd underscore config file here you want to search for password authentication and change this to no also at the bottom of this file you want to add permit root login no basically this disallows direct root access over ssh onto your home server save the file and restart the ssh daemon in the next step i'm gonna explain how to install and configure fail to ban now fail to ban is a super convenient little tool that basically scans log files on your server and bans ip addresses that in this instance are continuously trying to access your home server in fact you could use failed to ban for basically anything when it comes to connections onto your home server but its most often use case scenario is really to ban ip addresses that are continuously connecting to your ssh server to install fail to ban first update your repositories by typing in sudo apt update and upgrade any required packages by typing in sudo apt upgrade also if there is something that you can uninstall you can obviously do it by typing in sudo apt auto remove and finally install fail to ban now fail to ban ships with a default configuration file this is found under etc failed to ban and here you can see the fail to ban configuration file if you want to make any changes then i would highly recommend to copy this file and paste it under failtoban.local we need to be a root to do this and edit the local fail to ban configuration file now by default fail to ban doesn't come with any jails for ssh so we're gonna have to set them up manually to do so add sshd in square brackets to the bottom of the failtoban.local file add enabled equals true followed by the port that you specified to ssh onto your server use filter equals sshd specify that fail to ban should look under the log path var log off dot log followed by max retry equals three now what this does with the standard fail to ban configuration is that if a certain ip address is attempting to access our ssh server more than three times over the last 600 seconds then fail2ban is banning that ip address from any further attempt for at least 600 seconds you can increase debent time by specifying some sort of number in seconds or if you want to ban indefinitely you can specify -1 save the file and restart fail to ban now in order to check which kind of jails you have enabled on your server type sudo fail to ban client status you can see we have a one jail active which is the ssd jail in order to get more information type sudo fail to ban client status sshd and as you can see we currently have banned zero ip addresses from accessing our home server we can test if everything is set up properly by attempting to log on to our pi server using a wrong key and if you do this more than three times then you can see that we now have one entry under the band ip list finally in order to unban a computer from fail to ban type in sudo fail to ban client set sshd unbun ip followed by the ip address that you'd like to unban and if we have a look at the status again then we can see that this ip is no longer banned now in this last part of today's tutorial i'm gonna show you how to set up two-factor authentication for your ssh connection basically what this means is that a potential attacker would not only require your private key to access your ssh server but he would additionally require a time-based code that you're getting on your phone setting up two-factor authentication is actually super easy first install the lib pam google authenticator by typing in sudo apt-install lib pum dash google dash authenticator next enter google authenticator in the command line answer right to this question which will bring up this huge qr code on your phone install the google authenticator click on the plus sign and click on scan qr code as you can see this will generate a time based token which you'll have to enter whenever you access your home server back on your server you're prompted if you want to save your secret key onto your home directory type y and enter y to this question as well it basically prevents the use of the same token multiple times now with this setup you can actually use this the previous and the next code that you got on your mobile phone to log in to your server in my opinion this allows for plenty of time skew to occur between your phone and your server so let's type no here and enable raid limiting next update the pam ssd configuration file using sudo which you'll find under etc pam.d sshd comment out the and include common dash offline go all the way to the bottom and add auf required pam underscore google underscore authenticator dot so and finally update the ssh configuration here you want to search for challenge response authentication by the way you can search for something by typing control w and change this to yes next look for use spam and add the line authentication methods public key comma password public key comma keyboard interactive save the file and restart the ssh daemon now whenever you try to access your home server you will be asked to enter the time-based stratification code that you can get from your phone and that said with that you have successfully set up two-factor authentication now just a short side remark whenever you try to rsync onto a server that has two-factor authentication enabled you're also asked for this time-based token this is obviously going to be annoying if you want to set up automatic rsync between different servers i'm actually still in the process of trying to figure out how to automatically enter this time-based token whenever i use for example chrome tab to rsync files from one server to another that has two factory authentication enabled i will definitely be doing a video on that topic in the future which you'll find linked in the card right now if it's already live and with that we've reached the end of today's tutorial now as i've mentioned in the intro this tutorial really only covers getting the ssh aspect of your home server secured additionally you should definitely also consider getting apache and php secured if you're also running a web server now if you're interested in that kind of video then definitely leave a comment down below and i'll see if i can provide you with a dedicated video on that topic also if you think there is something really important that i've forgotten to mention in this video then definitely comment that down below maybe i might do an updated video on this topic sometime in the future but thank you guys so much for watching leave a like if you like this video leave a dislike if you didn't subscribe for more awesome linux related content like this thank you so much for watching have a wonderful day and i'll see you guys in the next video you
Info
Channel: Tech Guides
Views: 54,775
Rating: undefined out of 5
Keywords: secure linux server, how to secure server, how to secure a web server, linux web server, ufw, configure ufw firewall, how to use ssh keys, ssh keys explained, linux ssh, ssh key-based authentication, ssh key authentication, ssh-keygen, fail2ban, fail2ban ubuntu, 2fa ssh, ubuntu ssh two factor, ubuntu 2fa, hardening apache, home web server, secure web server, how to secure web server, secure apache server, securing linux server, securing openssh, how to change default ssh port
Id: sO-afVsDJOA
Channel Id: undefined
Length: 20min 13sec (1213 seconds)
Published: Sun Aug 16 2020
Related Videos
How to set up ZFS RAID 10 (Mirror VDEVS) on Ubuntu 20.04 - UP TO 9 GIGABIT/S TRANSFER SPEED
Tech Guides
29K
Ubuntu Server: Getting started with a Linux Server
Byte My Pi
467K
How to protect Linux from Hackers // My server security strategy!
Christian Lempa
200K
How To Secure A Server
Chris Titus Tech
91K
5 Must Have Tweaks to Secure OpenSSH
Learn Linux TV
23K
Fail2ban Tutorial | How to Secure Your Server
Akamai Developer
53K
STOP using VPN, embrace Zero-Trust networking!
Christian Lempa
71K
How To Setup MFA for Linux Login (SSH, Console, Sudo)
Conda
10K
Self-Hosting & Home Server Security Tips
DB Tech
35K
How To Protect Your Linux Server From Hackers!
LiveOverflow
288K
10 Tips for Hardening your Linux Servers
Learn Linux TV
58K
OpenSSH for Absolute Beginners
Veronica Explains
86K
SSH Honeypot in 4 Minutes - Trap Hackers in Your Server
Wolfgang's Channel
753K
How To Protect Ubuntu With fail2ban
Tony Teaches Tech
19K
The Ultimate Home File/Media Server Setup on Ubuntu Server
Drew Howden Tech
33K
How to Manage a Firewall on Linux (UFW) - This will secure your network.
SavvyNik
7.4K
Fail2Ban | Protect Ubuntu 22.04 Server
KeepItTechie
4.5K
Build an Awesome Nextcloud Server (Updated for Ubuntu 22.04!)
Learn Linux TV
155K
How to enable SSH on Linux Ubuntu (Easy step by step guide)
Knowledge Sharing Tech
105K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.