Skip to content

Instantly share code, notes, and snippets.

@rxgx
Last active October 10, 2019 11:16
Show Gist options
  • Save rxgx/2698308 to your computer and use it in GitHub Desktop.
Save rxgx/2698308 to your computer and use it in GitHub Desktop.
Code Server Security Checklist for Ubuntu 18 LTS

Code Server Checklist

Use these steps to lock down your cloud instance of code server by only allowing whitelisted users to have SSH access and limit Safari to only HTTPS traffic.

Login as Root

If you don't specify root, you'll use the current user on your machine.

ssh root@<ip_address>

Change the root password.

passwd

Add a new user and assign to the sudo group.

adduser <user>
usermod -aG sudo <user>

TIP: As an alternative to adding users to the sudo group, you can copy the root permissions in visudo for the new user. This locks the file so no other user or session can mess with the root or sudo permissions.

Open a new terminal and be certain this newly created account has sudo permissions.

sudo ls -lash /root

If the list of files in the /root folder displays, it is okay to logout or exit out of the terminal window that is currently logged in as root.

Use Your Public Key

It is preferred that you use a public key to login to the host. Here's how to copy your local public key to the server using secure file copy (SCP).

scp ~/.ssh/id_rsa.pub <user>@<ip_address>:/home/<user>/

Create a ssh directory and apply user’s permissions.

mkdir /home/<user>/.ssh
mv /home/<user>/id_rsa.pub /home/<user>/.ssh/authorized_keys
chown -R <user>:<user> /home/<user>/.ssh
chmod 700 /home/<user>/.ssh
chmod 600 /home/<user>/.ssh/authorized_keys

Create a Public Key

If you do not have a public key, then here's how to create one on the server.

mkdir ~/.ssh
chmod 700 ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa -b 4096 -C "[email protected]"

If you used the default, then you would have created an id_rsa and id_rsa.pub file. Next we need to add the key to the ssh agent. In order to see the status of the ssh agent, run the following command:

eval "$(ssh-agent -s)"

The output should look something like the following if it is running.

> Agent pid 59566

If you're on a recent version of Mac OSX, you'll need to add the key to the SSH config file config.

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

Finally add the key to the SSH agent

ssh-add -K ~/.ssh/id_rsa

Disable Password Authentication

Only perform this step if you have copied in a SSH key and plan to use it for authentication. This will lock you out of your server and will have no way of connecting.

Edit the config file.

vi /etc/ssh/sshd_config

Edit the following lines.

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UseDNS no
AllowUsers <user>

AllowUsers: This is a whitelist of allowed users. Add the name of our newly created account here. If you need to allow remote logins for more than one user, add the additional users to the AllowUsers setting separated by spaces.

Restart the SSH server and passwords will no longer be allowed.

sudo systemctl reload sshd

Firewall Configuration

Allow access to SSH client (port 22) and HTTPS (port 443).

sudo ufw allow OpenSSH
sudo ufw allow https

Enable the firewall and make sure the above apps are added.

sudo ufw enable
sudo ufw status

Optional: Synchronize Time

Set the timezone

timedatectl set-timezone America/Los_Angeles

Install NTP (network time protocol) server.

sudo apt-get update
sudo apt-get install ntp

Start or restart the time server

sudo service ntp restart

Verify the time and timezone

timedatectl
@rxgx
Copy link
Author

rxgx commented Oct 10, 2019

May need to add this for using zsh: chsh -s $(which zsh)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment