SSH and Security
HowTo Secure the VM from bad guys. Use SSH, HTTPS, Fail2ban, Let's Encrypt, NPM, reverse proxy and Let's Encrypt sertificates.
If you don't choose who can enter - some one else will do
Using SSH is very important and gives us secure communication. Enabling SSH on your VM is highly recommended, so that you can run a very compact headless server without a monitor or keyboard and be able to access it even more conveniently. I hart CLI
Still we need to lock the door - the ssh access on the VM
Create a key and send it to the VM and test it:
The quick one is ssh-keygen -t ed25519
. The key goes to ~/.ssh -directory.
If you want to remember what its for: ssh-keygen -t ed25519 -C "some comment of what it's for"
.
Better security is to use a passphrase (not accepted by every serice), a complicated long one is better. For ease-off-use you can use the ssh-agent to remember it for you. ssh-keygen -t ed25519 -N new_long_passphrase -C "some comment of what it's for"
Give your host a proper name by sudo hostnamectl set-hostname vm100.example.org
or stargate.example.com for NPM VM.
Copy your key to the new server ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
now re-login by ssh. If it works you can now lock down the ssh.
Configure who can ssh into your ssh
You shod not run as root. The command is adduser user-id
wich creates a new user and ask for a password. Then add user to sudo group for elevated privilidges.
Edit the VM's config: sudo nano /etc/ssh/sshd_config
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM no
PasswordAuthentication no
PermitRootLogin no
AllowUsers user-id
Port 55555
Save and restart the demon sudo systemctl restart sshd
Use firewalls
Only open ports you need and to addresses you control. You need to open WEB (80 and 443) and DROP all others. My ssh ports are only open from inside my network.
Use a Reverse Proxy and HTTPS
The Reverse Proxy needs only port 443 open. You will need to have port 80 open for Let's Encrypt to be able to update certificates. You will direct traffic by CNAME to the right service. Minimum exposure from open ports.
Stop Brute Force Attacks
I have Fail2ban is standard in my scripts. You only need to set it up to read the logs with open ports, ssh is activated by default.
HTTPS encryption
Let's Encrypt - A nonprofit Certificate Authority providing TLS certificates to 260 million websites.
And remember to read the logs and follow whats going on in your VM's.