-
Disable Root
The most common brute force login attempt is against the root user because every Linux server has a root user. Additional common users attempted are things like 'server' or 'admin' so I would avoid using usernames like these.
In the file /etc/ssh/sshd_config find the line
#PermitRootLogin yes
and replace it with
PermitRootLogin no
After that small change the only thing left to do is to restart the ssh daemon so the changes take effect. You can accomplish that with the command
sudo systemctl restart sshd.service
-
SSH Keys
SSH Keys are very hard to crack so its not really worth attempting to brute force ssh if password login is disabled. Before you disable password authentication you need to first set up an account with a ssh-key. you can do this by running
ssh-keygen -t rsa
this command will have a few input prompts which you can feel free to set as you like, the only one I recommend not leaving as default is the key's password. Then you just have to copy over the public key to the server's user. you can do this with
ssh-copy-id user@server
If you are prompted about authenticity you can reply with `yes`. After that validate the key is working by ssh'ing into the server. Assuming the key is working properly, edit the /etc/ssh/sshd_config file and find PasswordAuthentication and edit it to be
PasswordAuthentication no
After that small change the only thing left to do is to restart the ssh daemon so the changes take effect. You can accomplish that with the command
sudo systemctl restart sshd.service
-
Fail2Ban
Fail2Ban is a great application that can auto ban an IP address for a specified amount of time if it fails its checks. Personally, I have jails set up for invalid users and repeat offenders. So if someone tries to login as root or a user that doesnt exist they get banned, and if they get banned multiple times then they will have increasingly longer ban times. For this, we will just leave it as the default application which comes with some default jails setup. The only thing required is to install the application which can be done with
sudo apt update
sudo apt install fail2ban
#Then validate it has started properly
sudo systemctl status fail2ban
Fail2Ban should come with a default configuration for ssh where after 3 failed login attempts, the IP will be banned for 30 minutes.
-
OpenVPN
When using a private VPN, you can actually disable the port-forwarding for port 22. You can setup the VPN to work a lot like a Virtual LAN (VLAN) If you disable port 22 on your router you wont be able to directly ssh into your server anymore, you will have to connect to your VPN first and then SSH into your server using the VPN gateway IP. For this example, we will be using OpenVPN inside a docker container. Personally, I like to use docker-compose so that I dont have to remember the command and can just call docker-compose up to build and start the container. The docker-compose.yml file will look like this
version: '3'
services:
openvpn:
container_name: openvpn
image: linuxserver/openvpn-as
network_mode: bridge
cap_add:
- NET_ADMIN
environment:
#User ID to use in the container, optional
- PUID=1008
#Group ID to use in the container, optional
- PGID=1008
- TZ=America/New_York
volumes:
#Set the volume to use
- ./config:/config
ports:
- 943:943
- 9443:9443
- 1194:1194/udp
restart: always
After starting the container with docker-compose up you need to sign into the admin page at
https://DOCKER-HOST-IP:943/admin with the credentails admin & password respectively. The first thing to do is to create a new user under the user management section. Set the new user to have admin privledges then switch accounts and delete the admin user. Once you have the user sorted out, you need to set the public IP or domain name under Configuration -> Network Settings -> Hostname or IP AddressThat should be pretty much it, the default gateway IP for a bridged docker network should be 172.17.0.1 so the routing should be correct by default. You will need to port forward ports 9443 and 1194 in your router. After everything is said and done, you can go to https://DOCKER-HOST-IP:943 and sign in with your user, at the bottom theres a user-locked link that will download a VPN configuration file. you can use this with Ubunut's built in VPN settings or install openvpn3 and connect using the configuration file. Once connected you will be able to access applications that are opened on your server but not opened on your router so if you disable port 22 port forwarding you will still be able to ssh into your server after connecting to your now private VPN using the VPN gateway IP which should be 172.17.0.1
