Hardening the Server

2 days ago

benshollis

2 minutes

I don’t want to expose many services on my home network to the internet. However I want all my services to exist online. It is possible to do that using cloudflare and tailscale but there are a few extra measures to repeat on future vm’s to keep the attack surface as low as possible.

Only allow SSH over the local network

Exposing ssh, especially root or users in the sudoers file is a great way for attackers to get in and mess with your data. By restricting SSH to only work over the local network that still allows for me to work on the systems remotely but only within my network and not directly over the internet.

$ sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp

Check if any ports are listening

$ sudo ss -tulpn

Update Security Patches on Ubuntu Automatically

$ sudo apt update
$ sudo apt install unattended-upgrades
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

    UNCOMMENT
        "${distro_id}:${distro_codename}-security";

    REMOVE UNUSED DEPENDENCIES & REBOOT DAILY AT 3AM
        Unattended-Upgrade::Remove-Unused-Dependencies "true";
        Unattended-Upgrade::Automatic-Reboot "true";
        Unattended-Upgrade::Automatic-Reboot-Time "03:00";

    THEN UPDATE THE PERIODIC APT ACTIONS
        sudo nano /etc/apt/apt.conf.d/20auto-upgrades
        APT::Periodic::Update-Package-Lists "1";
        APT::Periodic::Download-Upgradeable-Packages "1";
        APT::Periodic::Unattended-Upgrade "1";

#dell #networking #security #server