Blog

Go back

How to harden your Debian / Ubuntu Server against hacking attempts

Once you run a server, whether Cloud or Dedicated Server, it is necessary to secure it against attacks from the Internet. A public reachable IP address already presents a potential danger, bots occasionally scan the IP address ranges of providers and automatically enforce attacks against various services (such as SSH), with the aim later for the execution of further attacks or generally abuse criminal activities.

This article describes the basic protection of a server with Debian or Ubuntu as the operating system. To implement the key points of this article, you should be familiar with using an editor and an SSH client.

1. Set a secure root password

Regularly our Cloud and Dedicated Servers are reinstalled with a 16 digit, secure password. After the reinstallation is done, you receive your servers initial login details via email. The password should be changed immediately after the first login via SSH.

This can be done with the command “passwd”. To generate a secure password, we use pwgen – this is done as follows:

apt-get update && apt-get install pwgen

The following command generates and outputs a 20-digit password that is considered secure:

pwgen -s -y 20 | awk '{print $ 1}'

Now the password of root can be changed as follows:

passwd root

Then insert the new password and reenter it for confirmation. Please consider storing your servers root password safely, this can be done with Keepass.

 

2. Update the system to the latest version

Regular updates of software packages provide an important foundation for tackling security vulnerabilities. Under Debian and Ubuntu an update can be realized with very little effort directly via the package management.

To retrieve the currently available packages:

apt-get update

After that, to update it:

apt-get upgrade

To update important packages like the kernel:

apt-get dist-upgrade

The same can also be done in a sequence:

apt-get update && apt-get upgrade && apt-get dist-upgrade

If the kernel has been updated (linux-image), it is necessary to restart the system.

 

3. Block attackers with fail2ban

In order to block brute force attacks and scans, fail2ban offers itself as an efficient solution. fail2ban scans the log files of your server at regular intervals and detects multiple failed login attempts. The reaction to this is an automated, temporary lock on the IP address of the attacker.

The installation is simple and does not involve any configuration effort:

apt-get install fail2ban

Afterwards we verify that the service is running:

service fail2ban status

By default, fail2ban logs a locked ip-address in /var/log/fail2ban.log.

 

4. Enable SSH key pair authentication

To connect via SSH, there are many authentication options. Probably the safest is authentication by cryptographic key. To configure authentication by cryptographic keys, ssh-keygen creates a couple of public and private keys. The public key is stored on the server, the private key on the SSH-connecting client.

In the first place, a new key pair is generated, preferably with 4096bit, which is more than adequate.

ssh-keygen -b 4096 -f / root / id_rsa

In the next step, the key is stored as authorized_key:

mv /root/id_rsa.pub /root/.ssh/authorized_keys

If the directory /root/.ssh does not exist, it will be created:

mkdir /root/.ssh

 

From now, the private key can be copied to the client and used for authentication. If you use PuTTY as the SSH client, the private key must still be converted to a PuTTY readable format – this is done with PuTTYGen – see https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html.

 

 

To do so, click on Load (instead of Generate)  and select the previously generated private key. Click Save Private Key to save the key in the new format.

 

While connecting to your server by SSH over PuTTY, you can define your private key while connecting.

 

 

While authenticating, you shouldnt get prompted for the root password, otherwise please check your configuration before you’ll proceed.

 

If you’re able to authenticate with your private key, you can continue and disable password authentication. To do this, edit / etc / ssh / sshd_config and search for PasswordAuthentication, set as following:

PasswordAuthentication no

Afterwards it is necessary to restart the SSH service:

service ssh restart

An SSH login should now only be possible if you use the private key for authentication.

Trustpilot