Build and Configure the Monitoring Webserver

Steps to configure the standalone web server including installation of Prometheus, Grafana and Let's encrypt certificates.

Note: These steps are identical to the Node Server configuration instructions with the exception of configuring Secure Shared Memory, Kernel Live Patching and 2FA. However you may consider these as necessary for your own requirements and wish to include them as well.

Connect to the server

Using the key generated from the AWS console and using a SSH client like Putty, connect to your Ubuntu server. If you are logged in as root then create a user-level account with admin privileges instead, since logging in as the root user is risky.

Create a new user. Replace yourusername with a username of your choice. You will asked to create a strong password and provide some other optional information.

$ sudo adduser <yourusername>

Grant admin rights to the new user by adding it to the sudo group. This will allow the user to perform actions with superuser privileges by typing sudo before commands.

$ sudo usermod -aG sudo <yourusername>

Optional: If you used SSH keys to connect to your Ubuntu instance via the root user you will need to associate the new user with the root user’s SSH key data.

$ sudo rsync --archive --chown=<yourusername>:<yourusername> ~/.ssh /home/<yourusername>

Finally, log out of root and log in as <yourusername>

Update the Server

Make sure the system is up to date with the latest software and security updates.

$ sudo apt update && sudo apt upgrade
$ sudo apt dist-upgrade && sudo apt autoremove
$ sudo reboot

Enable automatic updates

$ sudo apt-get install unattended-upgrades
$ sudo dpkg-reconfigure -plow unattended-upgrades

Optional: Change the server's hostname with the following command:

$ sudo hostnamectl set-hostname newNameHere

Secure the Server

This guide will follow a list of settings in the CoinCashew guide. This is not a comprehensive list and you should investigate other security steps specific to your own setup and situation.

SSH Configuration

Change the Default SSH port from a port between 1024-49151. First check that the port is free

eg. sudo ss -tulpn | grep ':6673'

$ sudo ss -tulpn | grep ':<YourSSHPortNumber>'

A red text response indicates it's in use already.

If it's free then change the port in the sshd_config file

$ sudo nano /etc/ssh/sshd_config

Find the line #Port 22 remove the # and replace the number with the port number of your choice

Port <YourSSHPortNumber>

At this point you may want to configure your firewall to allow the new port number. See the Firewall Configuration section below. Also remember to update any AWS Security Groups if you have those configured.

Locate the line for ChallengeResponseAuthentication and set it to ‘no’

ChallengeResponseAuthentication no

Locate the line for PasswordAuthentication and set it to ‘no’

PasswordAuthentication no

Locate the line for PermitRootLogin and set it to ‘no’

PermitRootLogin no

Locate the line for PermitEmptyPasswords and set it to ‘no’

PermitEmptyPasswords no

Locate the line for PubkeyAuthentication and set it to ‘yes’. This will change the configuration to only accept public keys.

PubkeyAuthentication yes

Save and close the file, then test the SSH config.

$ sudo sshd -t

If there are no errors then restart the SSH process

$ sudo systemctl restart sshd

Log out and back in again using the new SSH port number.

Optional Steps: lockdown SSH to a specific user from a specific IP. Only perform this step if you are confident your IP won’t change.

Open the SSHD config file again

$ sudo nano /etc/ssh/sshd_config

and add the following line to the bottom of the file

AllowUsers <SSH_User>@<Public_IP>

Save and close the file and restart SSHD

$ sudo systemctl restart sshd

Create a new ED25519 encryption key and replace the default AWS RSA 2048-bit key

The default AWS SSH key is using RSA SSH-2 2048-bit encryption. It is recommended to create another key pair using ED25519 encryption, follow the Putty user guide here. Ensure you have set a strong password on your private key. Then once you’ve created the key copy the public key to the ~/.ssh/authorized_keys file. Test the new key works by opening a new SSH session via Putty and using the custom port you set earlier.

Once confirmed either backup and delete or comment (#) out the previous RSA key’s line in the authorized_keys file.

Read up about ED25519 here

Ensure the authorized_keys file has the correct permissions by running the following command

chmod -R go= ~/.ssh

Check the permissions are set correctly

Disable the root account

Disable the ability to login with the rootaccount using a password

$ sudo passwd -l root

Firewall Configuration

ufw is a a common linux based firewall package which we will install

Install the ufw package

$ sudo apt install ufw

Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Allow inbound traffic on <YourSSHPortNumber> as set in the SSH Configuration section above. SSH requires the TCP protocol.

E.g. sudo ufw allow 6673/tcp
$ sudo ufw allow <yourSSHportnumber>/tcp

Optional: You may also choose to lockdown access to your specific public IP. However be warned that if your public IP changes you may lose access.

$ sudo ufw allow proto tcp from <YourPublicIP> to any port <YourSSHPortNumber>

Deny inbound traffic on port 22/TCP.

Only perform this step after confirming you have connected over SSH using <YourSSHPortNumber>

$ sudo ufw deny 22/tcp

Enable the firewall and check to verify the rules have been correctly configured.

$ sudo ufw enable
$ sudo ufw status numbered

Install Fail2Ban

Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.

Install fail2ban

$ sudo apt-get install fail2ban -y

Edit the config file

sudo nano /etc/fail2ban/jail.local

and add the following to the bottom of the file ignoreip = <list of whitelisted IP address, your local daily laptop/pc> . Also amend the port number to your own SSH port.

enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip =  of whitelisted IP address, your local daily laptop/pc>

save and close the file.

Restart fail2ban

$ sudo systemctl restart fail2ban

You may also want to complete the additional steps to Secure Shared Memory and install Kernal Live Patching as we did with the Node Server.

Last updated