SSH, UFW & Crowdsec

July 28, 2023

We start by creating a new user who will be given full system privileges via sudo. Later we change the login method to public keys only. At the moment we are root.

# add user to system
useradd -m -c "<USER NAME>" -g users -s /bin/bash -d /home/USER USER

# assign password to USER
passwd USER

# switch to USER
su - USER

# home of the ssh public key (for login)
mkdir ~/.ssh && touch ~/.ssh/authorized_keys && \
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

Upload your public ssh key to the server. Generate it if you don’t have one.

# generate public & private key. do not forget to backup them.
ssh-keygen -t ed25519

# publish public key to server
ssh-copy-id -i ~/.ssh/id_ed25519 USER@REMOTE_SERVER_IP

We are back as root on the remote server and harden the SSH daemon. Change the remarks according to your needs.

tee /etc/ssh/sshd_config << EOF > /dev/null
#! standard port is 22. change to reduce noise on firewall.
Port 12345
#! we don't allow root. only USER.
PermitRootLogin no
IgnoreRhosts yes
#! only ssh public key authentification is allowed
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowTcpForwarding no
Compression no
LogLevel verbose
TCPKeepAlive no
AllowAgentForwarding no
#! modern cryptographic only
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
PrintMotd no
#! only allow USER to login. 
AllowUsers USER1 USER2
AcceptEnv LANG LC_*
Subsystem sftp	/usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
EOF

Add our USER to sudoers list.

sed -i -e '/root	ALL=(ALL:ALL) ALL/ i <USER> ALL=(ALL:ALL) ALL' /etc/sudoers

Restart SSHd.

systemctl restart sshd

Before you end the current SSH session, check if you can log in with your new user (ssh USER@REMOTE_IP -p PORT). Furthermore check if you can change to root user (sudo -i). I told you :)

UFW - Uncomplicated Firewall

apt install ufw -y

Standard rule: Allow anything out. Deny anything in.

ufw default deny incoming && ufw default allow outgoing

Configure inbound rules as needed. Keep care of SSH port.

# SSH
ufw allow 12345/tcp
# SMTP (server<->server)
ufw allow 25/tcp
# HTTP
ufw allow 80/tcp
# HTTPS
ufw allow 443/tcp
# SMTP implicit TLS
ufw allow 465/tcp
# SMTP StartTLS 
ufw allow 587/tcp
# IMAP secure
ufw allow 993/tcp

Enable ufw and start service.

sed -i 's/ENABLED=no/ENABLED=yes/g' /etc/ufw/ufw.conf

systemctl enable ufw && systemctl restart ufw

CrowdSec

CrowdSec is a detection engine to block classical attacks like brute force, port scans and much more (https://www.crowdsec.net)

Integrate CrowdSec repository.

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

Install CrowdSec & Bouncer.

apt install crowdsec crowdsec-firewall-bouncer-iptables -y

Useful commands.

cscli machines list
cscli bouncers list
cscli alerts list
cscli decisions list
cscli metrics

Ban yourself for testing.

cscli decisions add --ip YOUR.IP --duration 2m