Fli
09-22-2020, 09:08 PM
There are certainly much better tutorials. This is here mainly for me to be able to repeat various task when i receive new Linux server.
Some tasks that can be done:
0. ssh -p 22 -l root serverIP
1. apt update 2>/dev/null;apt upgrade 2>/dev/null;apt install curl whois htop nmon nload fail2ban 2>/dev/null||yum update 2>/dev/null;yum upgrade 2>/dev/null;yum install curl whois htop nmon nload fail2ban 2>/dev/null
2. df -h;free -mht;w;curl -sL yabs.sh | bash -s -- -ifrg # remove "if" parameters to do also disk and network speed test
2. run command to change SSH port 22 to custom one (i.e. 876), possibly one within 600-60000 range:
newportno=876 && sed -i "s|#Port 22|Port $newportno|g;s|# Port 22|Port $newportno|g" /etc/ssh/sshd_config && systemctl reload sshd && ss -p|grep -i ssh 2>/dev/null
Other manual tweaks to increase security are at https://community.hetzner.com/tutorials/securing-ssh
3. passwd
3.5. consider creating new user and disabling root SSH access:
4. reboot now
5. copy SSH key for password-less access: ssh-copy-id -p NewSSHPort root@serverIP
6. login SSH (see 1st command)
6.5. Allow services in iptables and block rest of the incoming traffic + rate-limiting: https://community.hetzner.com/tutorials/game-server-ddos-protection
7. server with many connections and opened files?
# echo "* hard nofile 10000"|tee -a /etc/security/limits.conf
# echo "net.netfilter.nf_conntrack_max=99000" > /etc/sysctl.d/10-conntrack-max.conf;sysctl -p /etc/sysctl.d/10-conntrack-max.conf
6. Install Wireguard (https://github.com/angristan/wireguard-install) and enable port forwarding (https://internetlifeforum.com/internet/13673-wireguard-linux-vpn-server-port-forwarding-firewalled-client-open-port/).
7. Install OpenVPN (https://internetlifeforum.com/security/4675-how-setup-private-openvpn-linux-server-windows-android-client/)
8. setup logs removal (https://internetlifeforum.com/linux-forums/19474-how-delete-all-standard-logs-linux-server-regularly-keep-clean-logs/#post39906).
If you prefer more advanced configuration of your firewall and brute force blocking than above installed "fail2ban", then remove it and install CSF ConfigServer firewall https://configserver.com/configserver-security-and-firewall/
Some tasks that can be done:
0. ssh -p 22 -l root serverIP
1. apt update 2>/dev/null;apt upgrade 2>/dev/null;apt install curl whois htop nmon nload fail2ban 2>/dev/null||yum update 2>/dev/null;yum upgrade 2>/dev/null;yum install curl whois htop nmon nload fail2ban 2>/dev/null
2. df -h;free -mht;w;curl -sL yabs.sh | bash -s -- -ifrg # remove "if" parameters to do also disk and network speed test
2. run command to change SSH port 22 to custom one (i.e. 876), possibly one within 600-60000 range:
newportno=876 && sed -i "s|#Port 22|Port $newportno|g;s|# Port 22|Port $newportno|g" /etc/ssh/sshd_config && systemctl reload sshd && ss -p|grep -i ssh 2>/dev/null
Other manual tweaks to increase security are at https://community.hetzner.com/tutorials/securing-ssh
3. passwd
3.5. consider creating new user and disabling root SSH access:
4. reboot now
5. copy SSH key for password-less access: ssh-copy-id -p NewSSHPort root@serverIP
6. login SSH (see 1st command)
6.5. Allow services in iptables and block rest of the incoming traffic + rate-limiting: https://community.hetzner.com/tutorials/game-server-ddos-protection
7. server with many connections and opened files?
# echo "* hard nofile 10000"|tee -a /etc/security/limits.conf
# echo "net.netfilter.nf_conntrack_max=99000" > /etc/sysctl.d/10-conntrack-max.conf;sysctl -p /etc/sysctl.d/10-conntrack-max.conf
6. Install Wireguard (https://github.com/angristan/wireguard-install) and enable port forwarding (https://internetlifeforum.com/internet/13673-wireguard-linux-vpn-server-port-forwarding-firewalled-client-open-port/).
7. Install OpenVPN (https://internetlifeforum.com/security/4675-how-setup-private-openvpn-linux-server-windows-android-client/)
8. setup logs removal (https://internetlifeforum.com/linux-forums/19474-how-delete-all-standard-logs-linux-server-regularly-keep-clean-logs/#post39906).
If you prefer more advanced configuration of your firewall and brute force blocking than above installed "fail2ban", then remove it and install CSF ConfigServer firewall https://configserver.com/configserver-security-and-firewall/