(very) BASIC SECURITY
There are whole books about how to secure a system and even if you would follow every available book or guide you still you wouldn’t be able to be 100% secure. However, there are basic things that can be done that I would strongly recommend.
This site is more or less for my own reference!
1) Keep your system up to date.
You will have to choose from two options:
a) configure unattended updates
I personally want to know what is happening on my systems so I don’t recommend that option. If you want to go for automatic updates you should give this a read: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
b) regularly check for updates your self
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
Please note:
apt-get update updates the list of available packages and their versions but does not install or upgrade any packages.
apt-get upgrade installs newer versions of the packages. After updating the lists, the package manager knows about available updates for the software you have installed.
apt-get dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a “smart” conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. So, the dist-upgrade command may remove some packages.
If you tend to forget things you can setup apticron to inform you about new updates.
sudo apt-get install apticron -y
sudo nano /etc/apticron/apticron.conf
Edit the config:
EMAIL="[email protected]"
SYSTEM="servers_name"
Verify it is working by calling it once:
sudo apticron
If you do not get a message that might be because there is nothing to do. If you want to check if your system is sending emails at all do:
mail -s "Test Subject" [email protected] < /dev/null
Check your spam folder as well.
3. Switch from password-based authentication to key-based authentication for ssh
An SSH server can authenticate clients using a variety of different methods. The most basic of these is password authentication, which is easy to use, but not the most secure.
Although passwords are sent to the server in a secure manner, they are generally not complex or long enough to be resistant to repeated, persistent attackers. Modern processing power combined with automated scripts make brute forcing a password-protected account very possible. Although there are other methods of adding additional security (fail2ban, etc.), SSH keys prove to be a reliable and secure alternative.
SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.
The private key is retained by the client and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log into servers that are configured with the associated public key without additional authentication. As an additional precaution, the key can be encrypted on disk with a passphrase.
NOTE: Before you start ensure you have a way to connect to your system if you lock your self out. If you somehow mess up putting your correct key in YOU WILL NO LONGER BE ABLE TO LOGIN TO YOUR SYSTEM. I recommend testing if your SSH connection stays active when you restart sshd.
Generate a key pair with putty:
#### REMOTE ####
Ensure ~/.ssh/authorized_keys exits. If not, create it by doing:
mkdir ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
#### LOCAL ####
If you downloaded putty’s MSI PuttyGen is already on your system. If that is not the case head to http://www.putty.org/ and grab it.
Once downloaded and installed, launch PuttyGen and click on “Generate”.
You will be asked to randomly move your mouse over the blank area.
Once enough data is generated you will see your new generated key, its fingerprint, and a key comment, you can edit the comment if you like to. You can also set a password for the key pair in case your local system gets compromised. This way an attacker would not be able to connect to all your servers right away.
You can now save your private and public key.
While it is safe to share your public key, never share your private key. Save them both. Save the public key somewhere to store it when you need it, the private key to a safe location. I know calling it “safe location” is confusing as we will need the key accessible on our local system. I personally have separate folders where I store all my keys.
When you have done that, mark the key displayed in PuttyGen below “Public key for pasting into OpenSSH authorized_keys file:” and copy it.
Head to your VPS and do:
sudo nano ~/.ssh/authorized_keys
Paste the key into ITS OWN LINE in the file, save and exit with CTRL + X -> y -> Enter
#### LOCAL ####
Open PuTTY, and go to the SSH > Auth section.
Browse to the location of the key file, and load the private key.
Go to the Session page, and save the session. This saves the configuration so that PuTTY uses the key every time that you connect to your server.
After you save your session, your key is loaded automatically when you connect to your server.
Now we need to disable username/password logins
sudo nano /etc/ssh/sshd_config
Press CTRL + W and type: AuthorizedKeysFile
Change:
#AuthorizedKeysFile %h/.ssh/authorized_keys
to
AuthorizedKeysFile %h/.ssh/authorized_keys
Press CTRL + W and type: PasswordAuthentication -> Enter
Change:
#PasswordAuthentication yes
to
PasswordAuthentication no
Press CTRL + W and type: UsePAM -> Enter
Change:
UsePAM yes
to
UsePAM no
Save and exit with CTRL + X -> y -> Enter
now do:
sudo reload ssh
If that throws an error do:
sudo /etc/init.d/ssh restart
Connect with a second putty session and log in with your user. Your login will now look like this.
A refused login, without a key, will look like this.
4) Use ufw as a firewall
I strongly recommend opening only those ports that are needed to let your masternode run. That’s usually port 22 for SSH and the mastenode ports according to the coins documentation.
Install ufw with
sudo apt-get install ufw
Set the rules you need:
sudo ufw allow ssh
ufw allow 12845 # just as an example
Verify all rules with:
sudo ufw added rules
Enable the firewall. this might disconnect your ssh session.
sudo ufw enable
Check the status of the firewall:
sudo ufw status