Last active
January 23, 2025 02:04
-
-
Save mike-weiner/3e864ef8bf18d31a0e02e5e6c6d720d3 to your computer and use it in GitHub Desktop.
Revisions
-
mike-weiner revised this gist
Jan 23, 2025 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -14,10 +14,11 @@ This document is meant to serve as a basic guide for hardening a Linux server. 1. `sudo ufw default deny incoming` 1. `sudo ufw default allow outgoing` 1. Allow inbound traffic on specific ports: - `sudo ufw allow <SSH_PORT>/tcp` - `sudo ufw allow 443/tcp` 1. `sudo ufw enable` 1. `sudo ufw status numbered` 1. `sudo ufw reload` ## Add Non-Root `sudo` User to System for General Use -
Oct 6, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -61,4 +61,4 @@ If you are using your new account for a form of automation, you may need require If your newly created account needs to be able to run `docker` commands, you will want to create a `docker` UserGroup and adde your user to it. 1. `sudo groupadd docker` 1. `sudo usermod -aG docker <USERNAME>` -
Oct 6, 2024 . No changes.There are no files selected for viewing
-
Oct 6, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ This document is meant to serve as a basic guide for hardening a Linux server. 1. `sudo ufw default allow outgoing` 1. Allow inbound traffic on specific ports: - `sudo ufw allow <SSH_PORT>` - `sudo ufw allow 443` 1. `sudo ufw enable` 1. `sudo ufw status numbered` -
Oct 6, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,64 @@ # Basic Linux Server Hardening This document is meant to serve as a basic guide for hardening a Linux server. ## Change Default Port Used by SSH 1. `sudo nano /etc/ssh/sshd_config` 1. Uncomment `#Port 22` and change it to `Port <SSH_PORT>`. (Replace `<SSH_PORT>` with your desired port to use for SSH connectivity.) 1. `sudo systemctl restart ssh` 1. `reboot` ## Enable Basic Firewall with `ufw` 1. `sudo ufw default deny incoming` 1. `sudo ufw default allow outgoing` 1. Allow inbound traffic on specific ports: - `sudo ufw allow <SSH_PORT>` - sudo ufw allow 443 1. `sudo ufw enable` 1. `sudo ufw status numbered` ## Add Non-Root `sudo` User to System for General Use 1. `sudo adduser --disabled-password <USERNAME>` 1. `sudo usermod -aG sudo <USERNAME>` ## Copy Authorized SSH Keys from `root` to New Non-Root User 1. `mkdir -p /home/<USERNAME>/.ssh` 1. `chmod 700 /home/<USERNAME>/.ssh` 1. `cp ~/.ssh/authorized_keys /home/<USERNAME>/.ssh/` 1. `chown <USERNAME>:<USERNAME> /home/<USERNAME>/.ssh/` 1. `chown <USERNAME>:<USERNAME> /home/<USERNAME>/.ssh/authorized_keys` 1. `chmod 600 /home/<USERNAME>/.ssh/authorized_keys` ## Allow New User to Be Passwordless Sudo If you are using your new account for a form of automation, you may need require that it not require a password for running commands that require `sudo`. 1. `sudo visudo` 1. Add `<USERNAME> ALL=(ALL) NOPASSWD: ALL` to the bottom of the file. ## Disable Non-Root & Password SSH Logins 1. `sudo nano /etc/ssh/sshd_config` - Change `PermitRootLogin yes` to `PermitRootLogin no`. - Change `#PubkeyAuthentication yes` to `PubkeyAuthentication yes`. - Chage `#PasswordAuthentication yes` to `PasswordAuthentication no`. - Change `#PermitEmptyPasswords no` to `PermitEmptyPasswords no`. - Change `#StrictModes yes` to `StrictModes yes`. - Change `#MaxAuthTries 6` to `MaxAuthTries 3`. - Change `#MaxSessions 10` to `MaxSessions 3`. 1. `sudo systemctl restart ssh` 1. `reboot` ## Add a `docker` User Group If your newly created account needs to be able to run `docker` commands, you will want to create a `docker` UserGroup and adde your user to it. 1. `sudo groupadd docker` 1. `sudo usermod -aG docker <USERNAME>`.