apt update && apt upgrade -yYou should never log into your server as root, so create a new account that we will grant sudo privileges.
adduser <username>
usermod -aG sudo <username>
If you are running a web server, it would be a good idea to also create a separate, non-privileged user to run the server processes with at this stage.
Either use ssh-copy-id <username>@ip_address or manually copy your public key to ~/.ssh/authorized_keys
Next, we want to:
- Disable SSH password authentication
- Restrict root from logging in remotely
- Restrict access to IPv4
Ensure /etc/ssh/sshd_config contains the following settings:
PasswordAuthentication no
PermitRootLogin no
AddressFamily inetIt might be wise to have an extra ssh connection running before restarting the sshd service, just to ensure you don't accidentally lock yourself out.
sudo service sshd restart
Install ufw
sudo apt install ufw
Allow the ports of your required services
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
Enable and double-check
sudo ufw enable
sudo ufw status
Fail2ban simply monitors your /var/log/auth.log and alters the iptables configurations to block out IP addresses that perform repeated and automatic attacks on your server.
sudo apt install fail2ban
Copy the included base configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Restart the fail2ban service
sudo service fail2ban restart
Optionally, you can check that it is running with:
systemctl status fail2ban.service
After a while it will build up a list of blocked IP's which can be check with:
sudo fail2ban-client status ssh
# Install certbot
apt install certbot python3-certbot-nginx
# Disable the default virtual host, that is pre-configured when Nginx is installed via Ubuntu’s package manager apt:
unlink /etc/nginx/sites-enabled/default
# Create the reverse proxy server (found below)
vim /etc/nginx/sites-available/reverse-proxy.conf
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
# Test the config file
nginx -t
# Obtain SSL Certificate
certbot --nginx -d <domain_name_here>
# Optionally, double-check that renewing works
# Check service timer
systemctl status certbot.timer
# Dryrun certificate renewal
certbot renew --dry-runThis configuration will proxy all requests to your server to port 8080
server {
server_name <domain_name_here>;
listen 80;
listen [::]:80;
location / {
proxy_pass http://127.0.0.1:8080;
}
}If you wish to run some CI/CD scripts from your GitHub repositories etc. you can use webhook.
You can download and install webhook like so:
# Download webhook
wget https://github.com/adnanh/webhook/releases/download/2.7.0/webhook-linux-amd64.tar.gz
# Unzip
tar xvzf webhook-linux-amd64.tar.gz
# Move to user binaries and remove downloaded files
mv webhook-linux-amd64/webhook /usr/local/bin/webhook
rm -r webhook-linux-amd64 webhook-linux-amd64.tar.gzIf you wish to run it as a service, you can use the configuration below, and start/enable it like so:
# Create webhook systemd service
vim /lib/systemd/system/webhook.service
# Start & enable webhook service
systemctl daemon-reload
systemctl start webhook.service
systemctl enable webhook.serviceRemember to substitute the app_user and paths in the ExecStart attribute correspondingly.
[Unit]
Description=Webhook for GitHub CI/CD
After=network.target
[Service]
Type=simple
User=<app_user>
ExecStart=webhook -hooks <path_to_hooks.json> -hotreload -logfile <path_to_webhook_logs>
Restart=on-failure
[Install]
WantedBy=multi-user.targetTo use Vim instead of Nano:
update-alternatives --config editorTo remember sudo password for 1hr, change sudoers with visudo:
Defaults timestamp_timeout=60