Automatic stable updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
# Choose "yes" to enable auto-updatesConfigure SSH server (openssh)
- Change SSH port below 1024
- Disable root login
- Disable password login
- Allow only public key authentication
- Limit SSH init connections
- Set allowed users to connect by SSH
- Set SSH idle timeout
- Use ED25519 keys on
authorized_keysfile (ssh-keygen -t ed25519) - Disable X11 forwarding
Example:
# /etc/ssh/sshd_config.d/default.conf
Port XXXX
PermitRootLogin No
MaxAuthTries 3
ClientAliveInterval 600
ClientAliveInterval 1
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
KbdInteractiveAuthentication no
X11Forwarding no
AllowUsers XXXXXXXXXX XXXXXXXXXX
Reload SSH configuration: sudo systemctl restart sshd
Configure firewall
Install UFW: sudo apt install ufw
Set default policies:
sudo ufw default deny incoming comment 'deny all incoming traffic'
sudo ufw default deny outgoing comment 'deny all outgoing traffic'
Set firewall rules:
sudo ufw limit in <your_custom_ssh_port> comment '*:*===>server:ssh'
# sudo ufw allow in http comment '*:*===>server:http' # If you run a web server on the server
# sudo ufw allow in https comment '*:*===>server:https' # idem
sudo ufw allow out dns comment 'server:*==>*:dns'
sudo ufw allow out ntp comment 'server:*==>*:ntp'
sudo ufw allow out http comment 'server:*==>*:http'
sudo ufw allow out https comment 'server:*==>*:https'
sudo ufw allow out whois comment 'server:*==>*:whois'
sudo ufw allow out smtp comment 'server:*==>*:smtp'Enable UFW: sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Configure fail2ban
Install fail2ban: sudo apt install fail2ban
Create jail for custom SSH port:
# /etc/fail2ban/jail.d/sshd_custom.conf
[sshd]
port = XXXX
backend = systemd
Reload fail2ban: sudo systemctl restart fail2ban