Fli
09-22-2020, 10:08 PM
There are certainly much better tutorials. This is here mainly for me to be able to repeat various task when i receive new Linux server.
Some tasks that can be done:
1. connect
ssh -p 22 -l root serverIP
2. update, upgrade, install useful utilities
apt update 2>/dev/null;apt upgrade 2>/dev/null;apt install curl whois htop nmon nload fail2ban 2>/dev/null||yum update 2>/dev/null;yum upgrade 2>/dev/null;yum install curl whois htop nmon nload fail2ban 2>/dev/null
3. show system details
df -h;free -mht;w;curl -sL yabs.sh | bash -s -- -ifrg # remove "if" parameters to do also disk and network speed test
4. change SSH port 22 to custom one (i.e. 876), possibly one within 600-60000 range:
newportno=876 && sed -i "s|#Port 22|Port $newportno|g;s|# Port 22|Port $newportno|g;s|Port 22|Port $newportno|g" /etc/ssh/sshd_config && systemctl reload sshd && systemctl status sshd
# Other manual tweaks to increase security are at https://community.hetzner.com/tutorials/securing-ssh
5. change password
passwd
6. consider creating new user and disabling root SSH access (https://internetlifeforum.com/showthread.php?6656-How-to-allow-password-less-SSH-access-how-to-push-copy-key-over-SSH)
7. reboot:
reboot now
8. copy SSH key for password-less access:
ssh-copy-id -p NewSSHPort root@serverIP
9. login SSH (see 1st command at the top)
10. Allow services in iptables and block rest of the incoming traffic + rate-limiting: https://community.hetzner.com/tutorials/game-server-ddos-protection
11. server with many connections and opened files?
echo "* hard nofile 10000"|tee -a /etc/security/limits.conf
echo "net.netfilter.nf_conntrack_max=99000" > /etc/sysctl.d/10-conntrack-max.conf && modprobe nf_conntrack && sysctl -p /etc/sysctl.d/10-conntrack-max.conf
12. Install Wireguard (https://github.com/angristan/wireguard-install) and enable port forwarding (https://internetlifeforum.com/internet/13673-wireguard-linux-vpn-server-port-forwarding-firewalled-client-open-port/).
13. Install OpenVPN (https://internetlifeforum.com/security/4675-how-setup-private-openvpn-linux-server-windows-android-client/)
14. setup logs removal (https://internetlifeforum.com/linux-forums/19474-how-delete-all-standard-logs-linux-server-regularly-keep-clean-logs/#post39906).
If you prefer more advanced configuration of your firewall and brute force blocking than above installed "fail2ban", then remove it and install CSF ConfigServer firewall https://configserver.com/configserver-security-and-firewall/
Some tasks that can be done:
1. connect
ssh -p 22 -l root serverIP
2. update, upgrade, install useful utilities
apt update 2>/dev/null;apt upgrade 2>/dev/null;apt install curl whois htop nmon nload fail2ban 2>/dev/null||yum update 2>/dev/null;yum upgrade 2>/dev/null;yum install curl whois htop nmon nload fail2ban 2>/dev/null
3. show system details
df -h;free -mht;w;curl -sL yabs.sh | bash -s -- -ifrg # remove "if" parameters to do also disk and network speed test
4. change SSH port 22 to custom one (i.e. 876), possibly one within 600-60000 range:
newportno=876 && sed -i "s|#Port 22|Port $newportno|g;s|# Port 22|Port $newportno|g;s|Port 22|Port $newportno|g" /etc/ssh/sshd_config && systemctl reload sshd && systemctl status sshd
# Other manual tweaks to increase security are at https://community.hetzner.com/tutorials/securing-ssh
5. change password
passwd
6. consider creating new user and disabling root SSH access (https://internetlifeforum.com/showthread.php?6656-How-to-allow-password-less-SSH-access-how-to-push-copy-key-over-SSH)
7. reboot:
reboot now
8. copy SSH key for password-less access:
ssh-copy-id -p NewSSHPort root@serverIP
9. login SSH (see 1st command at the top)
10. Allow services in iptables and block rest of the incoming traffic + rate-limiting: https://community.hetzner.com/tutorials/game-server-ddos-protection
11. server with many connections and opened files?
echo "* hard nofile 10000"|tee -a /etc/security/limits.conf
echo "net.netfilter.nf_conntrack_max=99000" > /etc/sysctl.d/10-conntrack-max.conf && modprobe nf_conntrack && sysctl -p /etc/sysctl.d/10-conntrack-max.conf
12. Install Wireguard (https://github.com/angristan/wireguard-install) and enable port forwarding (https://internetlifeforum.com/internet/13673-wireguard-linux-vpn-server-port-forwarding-firewalled-client-open-port/).
13. Install OpenVPN (https://internetlifeforum.com/security/4675-how-setup-private-openvpn-linux-server-windows-android-client/)
14. setup logs removal (https://internetlifeforum.com/linux-forums/19474-how-delete-all-standard-logs-linux-server-regularly-keep-clean-logs/#post39906).
If you prefer more advanced configuration of your firewall and brute force blocking than above installed "fail2ban", then remove it and install CSF ConfigServer firewall https://configserver.com/configserver-security-and-firewall/