Connect to the server

Using the key generated from the AWS console and using a SSH client like Putty, connect to your Ubuntu server. If you are logged in as root then create a user-level account with admin privileges instead, since logging in as the root user is risky.

Create a new user. Replace yourusername with a username of your choice. You will asked to create a strong password and provide some other optional information.

sudo adduser <yourusername>

Grant admin rights to the new user by adding it to the sudo group. This will allow the user to perform actions with superuser privileges by typing sudo before commands.

sudo usermod -aG sudo <yourusername>

Optional: If you used SSH keys to connect to your Ubuntu instance via the root user you will need to associate the new user with the root user’s SSH key data.

sudo rsync --archive --chown=<yourusername>:<yourusername> ~/.ssh /home/<yourusername>

Finally, log out of root and log in as <yourusername>

Update the Server

Make sure the system is up to date with the latest software and security updates.

sudo apt update && sudo apt upgrade
sudo apt dist-upgrade && sudo apt autoremove
sudo reboot

Enable automatic updates

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Optional: Change the server's hostname with the following command:

sudo hostnamectl set-hostname <newNameHere>

Secure the Server

This guide will follow a list of settings in the CoinCashew guide. This is not a comprehensive list and you should investigate other security steps specific to your own setup and situation.

SSH Configuration

The following section will edit the contents of your sshd_config file, it is recommended to make a backup of this file before proceeding and to understand more about each of the settings you will edit you can view the sshd help file by typing:

man sshd_config

Change the SSH Port in the sshd_config file

sudo nano /etc/ssh/sshd_config

Find the line #Port 22 remove the # and replace the number with the port number of your choice

Port <YourSSHPortNumber>

Locate the line for ChallengeResponseAuthentication and set it to ‘no’

ChallengeResponseAuthentication no

Locate the line for PasswordAuthentication and set it to ‘no’

PasswordAuthentication no

Locate the line for PermitRootLogin and set it to ‘no’

PermitRootLogin no

Locate the line for PermitEmptyPasswords and set it to ‘no’

PermitEmptyPasswords no

Locate the line for PubkeyAuthentication and set it to ‘yes’. This will change the configuration to only accept public keys.

PubkeyAuthentication yes

Change ClientAliveInterval to 300 and ClientAliveCountMax to 0

ClientAliveInterval 300
ClientAliveCountMax 0

Save and close the file, then test the SSH config.

sudo sshd -t

If there are no errors then restart the SSH process

sudo systemctl restart sshd

Open another Putty terminal and test connecting on the new SSH port before closing the existing terminal.

Restricting access to specific users or IPs

Open the SSHD config file again

sudo nano /etc/ssh/sshd_config

to restrict just to a specific user add the following to the bottom of the file

AllowUsers <SSH_User1> <SSH_User2> 

alternatively to restrict to a specific IP add the following line to the bottom of the file

AllowUsers <SSH_User>@<Public_IP>

Save and close the file and restart SSHD

sudo systemctl restart sshd

Restrict Access Using IP Tables

Alternatively, you can use IP tables to restrict access to the SSH port from a single IP or network. As root enter the follow at the command line

sudo iptables -A INPUT -p tcp --dport <YOUR_SSH_PORT> -s <Your_Public_IP> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport <YOUR_SSH_PORT> -j DROP

Create a new ED25519 encryption key and replace the default AWS RSA 2048-bit key

The default AWS SSH key is using RSA SSH-2 2048-bit encryption. It is recommended to create another key pair using ED25519 encryption, follow the Putty user guide here. Ensure you have set a strong password on your private key. Read up about ED25519 here.

Then once you’ve created the key copy the public key to the ~/.ssh/authorized_keys file.

sudo nano ~/.ssh/authorized_keys

save and close the file.

Test the new key works by opening a new SSH session via Putty and using the custom port you set earlier.

Once confirmed either backup and delete or comment (#) out the previous RSA key’s line in the authorized_keys file.

Ensure the authorized_keys file has the correct permissions by running the following command

chmod -R go= ~/.ssh

Check the permissions are set correctly

cd ~/.ssh
ls -l

Disable the root account

Disable the ability to login with the rootaccount using a password

sudo passwd -l root

Firewall Configuration

ufw is a a common linux based firewall package which we will install

Install the ufw package

sudo apt install ufw

Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow inbound traffic on <YourSSHPortNumber> as set in the SSH Configuration section above. SSH requires the TCP protocol.

sudo ufw allow <yourSSHportnumber>/tcp

sudo ufw allow proto tcp from <YourPublicIP> to any port <YourSSHPortNumber>

Deny inbound traffic on port 22/TCP.

sudo ufw deny 22/tcp

Enable the firewall and check to verify the rules have been correctly configured.

sudo ufw enable
sudo ufw status numbered

Two-factor authentication (optional but encouraged)

Two-factor authentication gives you an extra layer of security in the event your SSH key was compromised. Although we are installing the Google Authenticator package you can also use an alternative 2fA app like Authy.

Install the Google Authenticator package

sudo apt install libpam-google-authenticator -y

Run google-authenticator

google-authenticator

enter ‘y’ to the first prompt

Do you want authentication tokens to be time-based (y/n): y

A QR Code will appear with a Secret Key, a number of scratch codes and a prompt for further options. Open your Google Authenticator or Authy app and enter in your secret key. Copy down your emergency scratch codes for safe-keeping.

The recommended settings for the subsequent prompts are:

Update the .google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes

Make a backup of the sshd configuration file

sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

Edit the /etc/pam.d/sshd file to make SSH use Google Auhthenticator

sudo nano /etc/pam.d/sshd

and add the following lines

@include common-password
auth required pam_google_authenticator.so nullok
auth required pam_permit.so

save and close the file.

Edit the SSH configuration file

sudo nano /etc/ssh/sshd_config

locate the ChallengeResponseAuthentication line and update to ‘yes’

KbdInteractiveAuthentication yes

locate the UsePAM line and update to ‘yes’

UsePAM yes

Save and close the file then restart the SSHD service

sudo systemctl restart sshd.service

Make SSH aware of 2FA by opening the SSH configuration file

sudo nano /etc/ssh/sshd_config

and add the following line to the bottom of the file

AuthenticationMethods publickey,password publickey,keyboard-interactive

save and close the file.

Open the PAM sshd configuration file

sudo nano /etc/pam.d/sshd

and comment out the following line by adding a # character at the start

#@include common-auth

Save and close the file the restart SSH.

sudo systemctl restart sshd.service

Now open another Putty terminal session and you should be asked to enter the two-factor code.

Kernel Live Patching

The Livepatch Service intends to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE tracker. Since there are limitations to the kernel livepatch technology, some Linux kernel code paths cannot be safely patched while running. There may be occasions when the traditional kernel upgrade and reboot might still be necessary.

You will need to create an account at https://login.ubuntu.com/. The free tier allows installation on up to three machines. You will be given a subscription token which can be found here https://ubuntu.com/advantage

Attach the token to your server

sudo ua attach <YOUR_TOKEN>
sudo ua status

Secure Shared Memory

Shared memory can be used in an attack against a running service. Because of this, secure that portion of system memory. You can do this by modifying the /etc/fstab file.

Edit the fstab file

sudo nano /etc/fstab

Add the following line

tmpfs	/run/shm	tmpfs	ro,noexec,nosuid	0 0

Save and close the file, then reboot.

sudo reboot

Install Fail2Ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

Install fail2ban

sudo apt-get install fail2ban -y

Edit the config file

sudo nano /etc/fail2ban/jail.local

and add the following to the file ignoreip = <list of whitelisted IP address, your local daily laptop/pc> . Also amend the port number to your own SSH port.

[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip =  <list of whitelisted IP address, your local daily laptop/pc>

save and close the file.

Restart fail2ban

sudo systemctl restart fail2ban

That concludes the first step in preparing your Node Server. Head to the next page to install Node Exporter.

Sources:

Digital Ocean MFA Setup Link

ED25519 Reference

Coin Cashew’s Hardening Ubuntu Guide

Digital Ocean Ubuntu Open SSH Hardening Tips

How to Harden your Ubuntu 18.04 Server

Linux hardening security tips

Kernal Live Patching - Florian Pieper