Moar Security

In my last post I described how I decrypt my home server remotely with ssh. Today I would like to share how I like to lock down my debian based home server while it's running

Public Key Authentication with SSH

[Public key authentication]](https://www.ssh.com/ssh/public-key-authentication) is basic stuff when it comes to ssh. There not really any reason not to use public keys

Most guides do the generation on a client machine and then copy the public key up to the server. I did it backwards mainly because I originally was setting things up on a Windows machine. I could have used puttygen, but these days I find the linux terminal friendlier then most gui's... It's odd I know

Basic setup:

ssh-keygen
cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys

Then copy move ~/.ssh/id_rsa to your client PC.

Next check your ssh config:

sudo nano /etc/ssh/sshd_config

Ensure the following options are set:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Additionally You can add the line AllowUsers **Your User Name Here** to restrict ssh to only a specific list of users.

Restart your sshd sudo service sshd restart, then immediately attempt another ssh connection with your public key (if you are doing this over ssh). Your current ssh connection should not be affected.

Example ssh connection:

ssh -i /home/dugite/.ssh/serv_id_rsa dugite@10.1.1.2

TOTP via Google Authenticator PAM

Add TOTP to SUDO and SU

UFW

Use docker with UFW

https://github.com/chaifeng/ufw-docker

Encrypted port Knocking with fwknop

fwknop -A tcp/22 -D example.tld --key-gen --use-hmac --save

Tripwire

https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps

Comments

No comments.