Any tips for hardening a new box

Anyone got any more tips besides passwordless ssh login & fail2ban?

I change the SSH port … yeah security by obscurity is not ideal, but it does greatly cut down on failed login attempts as most people will simply move on to another IP rather than port scan to find the open ssh port.

1 Like

In addition to SSH-keys, changing the SSH port and Fail2ban you could maybe also limit SSH access to specific IPs or IP ranges. But this is of course only possible, when you have a fixed IP address, so it’s not an option for most home users.

Some VPS provider do also provide a separate firewall in front of their VPSs, so you could block SSH entirely, and only open it as needed.

Other than that, enable 2FA for the WebUI and use secure passwords for your email accounts.

So I shouldn’t use Password1… Darn! j/k

Touch wood, so far I’ve found MIAB to be adequately locked down :slight_smile: You’d expect it to be ok - the box has only a little software running, nothing with obvious weaknesses, and it’s kept up-to-date. Mine is behind a router/firewall and I’ve only opened the 10 required ports.

I did add a couple of extra fail2ban rules, to catch bots trying to brute-force smtp submission, and to be a little stronger on ssh attempts. At some point I’ll offer them as a pull request…

2 Likes

Very insecure because of missing special characters. Better would be UGFzc3dvcmQ= :wink:

Base64 for Password1 ?

FWIW, here is one I use. Obviously skip some of the crypto library stuff. GitHub - akcryptoguy/vps-harden: Interactive script to Harden Security on a Ubuntu VPS

1 Like

That script looks pretty handy indeed. Thanks for that!

I’d be interested in seeing those extra fail2ban rules. The only one that I’ve added personally is on the UFW logs to block portscans, the rules seem to already cover everything else I need

The rules are quite simple. One looks for invalid ssh logins and is quicker to block than the default rules. The other looks for questionable smtp submissions - being anything that disconnects after 0 logins (“auth=0/1”), or anything that drops the connection after the EHLO).

1 Like

I like to implement geolocation base ssh logins on all my boxes to restrict ssh access.

For boxes that requires additional security, I use cloud provider firewall to limit ssh access by IP address. ( You can also add/remove IP addresses using API so you can have access on the go with dynamic ip )

It works very well so far.