Configuration for SSH at a new Ubuntu Server

=========================================
Step 1 – Creating New Sudo and Root User
=========================================
// Adding new user
1) adduser TESTUSER

// Adding user to sudo group
2) usermod -aG sudo TESTUSER

// Adding user to root group
3) usermod -aG root TESTUSER

// Adding user to www-data group
4) usermod -aG www-data TESTUSER

// Checking user groups
5) id TESTUSER

// to reload your groups)
6) su – TESTUSER

// Checking user groups
7) id TESTUSER

result will show – uid=1000(TESTUSER) gid=1000(TESTUSER) groups=1000(TESTUSER),27(sudo),33(www-data)

=========================================
Step 2 – Editing SSH Configurations
=========================================

1) Allow new port to firewall and Changing SSH port

Adding and allow new port to Firewall
sudo ufw status
sudo ufw allow newport(eg_7676)

2) Disable the root user for login
** Before you disable root access, make sure to have the other root access user **

Changing SSH port
sudo nano /etc/ssh/sshd_config
change –
PermitRootLogin no
Port 7676 (AsYouWish)

3) /etc/init.d/ssh reload

=========================================
Step 3 – Upgrading SSH security
=========================================

3.1) Installing the Fail To Ban Server for SSH Security
Ref https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04

3.1.1) sudo apt-get install fail2ban -y
3.1.2) sudo apt-get install sendmail
// testing sendmail can send or not
echo “hello” | sendmail -f receivermail@gmail.com sendermail@gmail.com

(sendmail or mail)

3.1.3) sudo apt install mailutils
// testing mail can send or not with mailutils
echo “testing” | mail -s “testing” receivermail@gmail.com

3.2) Copy the /etc/fail2ban/jail.cof as /etc/fail2ban/jail.local
awk ‘{ printf “# “; print; }’ /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local

3.3) // Change bantime at /etc/fail2ban/jail.local

// jail.local without sending alert email
—————————————————————
[DEFAULT]
bantime = 120
// bantime is with seconds
ignoreip = 127.0.0.1/8
findtime = 120
destemail = william.aceplus@gmail.com
sender = root@localhost

[sshd]
port = ssh
# logpath = %(sshd_log)s

[sshd-ddos]

port = 7878
logpath = /var/log/auth.log

[dropbear]
port = 7878
logpath = /var/log/auth.log

[selinux-ssh]
port = 7878
logpath = /var/log/auth.log
maxretry = 3

And then restart fail2ban server
/etc/init.d/fail2ban restart
—————————————————————

OR

// jail.local without sending alert email
—————————————————————
[DEFAULT]

ignoreip = –REMOVED IPS–
findtime = 600
bantime = 600
maxretry = 3

backend = polling

destemail = test@gmail.com
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(__name__)s, port=”%(port)s”, protocol=”%(protocol)s]
action_mw = %(banaction)s[name=%(__name__)s, port=”%(port)s”, protocol=”%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest=”%(destemail)s”, protocol=”%(protocol)s]
action_mwl = %(banaction)s[name=%(__name__)s, port=”%(port)s”, protocol=”%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest=”%(destemail)s”, logpath=%(logpath)s]
action = %(action_mw)s
[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
—————————————————————

3.4) // Checking ban IPs
sudo zgrep ‘Ban’ /var/log/fail2ban.log

3.5) If you change the ssh port from ‘22’ to ‘custom_port’, you need to allow that port at ufw.

Sudo ufw status
Sudo ufw allow custom_port
Sudo ufw reload
Sudo ufw status

3.6) reload the fail2ban service
sudo /etc/init.d/fail2ban restart

3.7) check fail2ban server working or not by accessing with ssh 3 times and system will ban your ip 120 seconds

ssh ap2@128.199.101.113 -p 7878

Advertisements

How to install Node.js via binary archive on Linux (node-v8.11.3-linux-x64.tar.xz)

1) Node version = node-v8.11.3-linux-x64.tar.xz
Unzip the binary archive to any directory you wanna install Node, I use /usr/local/lib/nodejs

VERSION=v8.11.3
DISTRO=linux-x64
sudo mkdir /usr/local/lib/nodejs
sudo tar -xJvf node-v8.11.3-linux-x64.tar.xz -C /usr/local/lib/nodejs
sudo mv /usr/local/lib/nodejs/node-v8.11.3-linux-x64 /usr/local/lib/nodejs

2) Set the environment variable sudo nano ~/.profile, add below to the end

# Nodejs
export NODEJS_HOME=/usr/local/lib/nodejs/node-v8.11.3-linux-x64/bin
export PATH=$NODEJS_HOME:$PATH

3) Refresh profile
. ~/.profile
( . is including within command )

4) Test installation using
$ node -v