Build and Configure the Monitoring Webserver
Steps to configure the standalone web server including installation of Prometheus, Grafana and Let's encrypt certificates.
Note: These steps are identical to the Node Server configuration instructions with the exception of configuring Secure Shared Memory, Kernel Live Patching and 2FA. However you may consider these as necessary for your own requirements and wish to include them as well.
Using the key generated from the AWS console and using a SSH client like Putty, connect to your Ubuntu server. If you are logged in as root then create a user-level account with admin privileges instead, since logging in as the root user is risky.
Create a new user. Replace
yourusername with a username of your choice. You will asked to create a strong password and provide some other optional information.$ sudo adduser <yourusername>
Grant admin rights to the new user by adding it to the sudo group. This will allow the user to perform actions with superuser privileges by typing sudo before commands.
$ sudo usermod -aG sudo <yourusername>
Optional: If you used SSH keys to connect to your Ubuntu instance via the root user you will need to associate the new user with the root user’s SSH key data.
$ sudo rsync --archive --chown=<yourusername>:<yourusername> ~/.ssh /home/<yourusername>
Finally, log out of
root and log in as <yourusername>Make sure the system is up to date with the latest software and security updates.
$ sudo apt update && sudo apt upgrade
$ sudo apt dist-upgrade && sudo apt autoremove
$ sudo reboot
Enable automatic updates
$ sudo apt-get install unattended-upgrades
$ sudo dpkg-reconfigure -plow unattended-upgrades
Optional: Change the server's hostname with the following command:
$ sudo hostnamectl set-hostname newNameHere
This guide will follow a list of settings in the CoinCashew guide. This is not a comprehensive list and you should investigate other security steps specific to your own setup and situation.
Change the Default SSH port from a port between 1024-49151. First check that the port is free
eg. sudo ss -tulpn | grep ':6673'
$ sudo ss -tulpn | grep ':<YourSSHPortNumber>'
A red text response indicates it's in use already.
If it's free then change the port in the
sshd_config file$ sudo nano /etc/ssh/sshd_config
Find the line
#Port 22 remove the # and replace the number with the port number of your choicePort <YourSSHPortNumber>
At this point you may want to configure your firewall to allow the new port number. See the Firewall Configuration section below. Also remember to update any AWS Security Groups if you have those configured.
Locate the line for ChallengeResponseAuthentication and set it to ‘no’
ChallengeResponseAuthentication no
Locate the line for PasswordAuthentication and set it to ‘no’
PasswordAuthentication no
Locate the line for PermitRootLogin and set it to ‘no’
PermitRootLogin no
Locate the line for PermitEmptyPasswords and set it to ‘no’
PermitEmptyPasswords no
Locate the line for PubkeyAuthentication and set it to ‘yes’. This will change the configuration to only accept public keys.
PubkeyAuthentication yes
Save and close the file, then test the SSH config.
$ sudo sshd -t
If there are no errors then restart the SSH process
$ sudo systemctl restart sshd
Log out and back in again using the new SSH port number.
Optional Steps: lockdown SSH to a specific user from a specific IP. Only perform this step if you are confident your IP won’t change.
Open the SSHD config file again
$ sudo nano /etc/ssh/sshd_config
and add the following line to the bottom of the file
AllowUsers <SSH_User>@<Public_IP>
Save and close the file and restart SSHD
$ sudo systemctl restart sshd
The default AWS SSH key is using RSA SSH-2 2048-bit encryption. It is recommended to create another key pair using ED25519 encryption, follow the Putty user guide here. Ensure you have set a strong password on your private key. Then once you’ve created the key copy the public key to the
~/.ssh/authorized_keys file. Test the new key works by opening a new SSH session via Putty and using the custom port you set earlier.
Once confirmed either backup and delete or comment (
#) out the previous RSA key’s line in the authorized_keys file.Ensure the
authorized_keys file has the correct permissions by running the following commandchmod -R go= ~/.ssh
Check the permissions are set correctly
Disable the ability to login with the
rootaccount using a password$ sudo passwd -l root
ufw is a a common linux based firewall package which we will install
Install the ufw package
$ sudo apt install ufw
Explicitly apply the defaults. Inbound traffic denied, outbound traffic allowed.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
Allow inbound traffic on
<YourSSHPortNumber> as set in the SSH Configuration section above. SSH requires the TCP protocol.E.g. sudo ufw allow 6673/tcp
$ sudo ufw allow <yourSSHportnumber>/tcp
Optional: You may also choose to lockdown access to your specific public IP. However be warned that if your public IP changes you may lose access.
$ sudo ufw allow proto tcp from <YourPublicIP> to any port <YourSSHPortNumber>
Deny inbound traffic on port 22/TCP.
Only perform this step after confirming you have connected over SSH using <YourSSHPortNumber>
$ sudo ufw deny 22/tcp
Enable the firewall and check to verify the rules have been correctly configured.
$ sudo ufw enable
$ sudo ufw status numbered
Fail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.
Install fail2ban
$ sudo apt-get install fail2ban -y
Edit the config file
sudo nano /etc/fail2ban/jail.local
and add the following to the bottom of the file
ignoreip = <list of whitelisted IP address, your local daily laptop/pc> . Also amend the port number to your own SSH port.[sshd]
enabled = true
port = <22 or your random port number>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses
ignoreip = of whitelisted IP address, your local daily laptop/pc>
save and close the file.
Restart fail2ban
$ sudo systemctl restart fail2ban
You may also want to complete the additional steps to Secure Shared Memory and install Kernal Live Patching as we did with the Node Server.
Last modified 1yr ago