Any tips for hardening a new box

mellow · October 21, 2022, 2:13pm

Anyone got any more tips besides passwordless ssh login & fail2ban?

alento · October 21, 2022, 2:54pm

I change the SSH port … yeah security by obscurity is not ideal, but it does greatly cut down on failed login attempts as most people will simply move on to another IP rather than port scan to find the open ssh port.

miabuser · October 21, 2022, 4:41pm

In addition to SSH-keys, changing the SSH port and Fail2ban you could maybe also limit SSH access to specific IPs or IP ranges. But this is of course only possible, when you have a fixed IP address, so it’s not an option for most home users.

Some VPS provider do also provide a separate firewall in front of their VPSs, so you could block SSH entirely, and only open it as needed.

Other than that, enable 2FA for the WebUI and use secure passwords for your email accounts.

stylnchris · October 21, 2022, 6:01pm

So I shouldn’t use Password1… Darn! j/k

andrew · October 21, 2022, 9:59pm

Touch wood, so far I’ve found MIAB to be adequately locked down You’d expect it to be ok - the box has only a little software running, nothing with obvious weaknesses, and it’s kept up-to-date. Mine is behind a router/firewall and I’ve only opened the 10 required ports.

I did add a couple of extra fail2ban rules, to catch bots trying to brute-force smtp submission, and to be a little stronger on ssh attempts. At some point I’ll offer them as a pull request…

miabuser · October 23, 2022, 2:18pm

Very insecure because of missing special characters. Better would be UGFzc3dvcmQ=

stylnchris · October 23, 2022, 3:04pm

Base64 for Password1 ?

Mg344 · October 24, 2022, 2:13pm

FWIW, here is one I use. Obviously skip some of the crypto library stuff. GitHub - akcryptoguy/vps-harden: Interactive script to Harden Security on a Ubuntu VPS

mellow · October 25, 2022, 12:01pm

That script looks pretty handy indeed. Thanks for that!

wheresalice · November 1, 2022, 3:02pm

I’d be interested in seeing those extra fail2ban rules. The only one that I’ve added personally is on the UFW logs to block portscans, the rules seem to already cover everything else I need

andrew · November 2, 2022, 1:06am

The rules are quite simple. One looks for invalid ssh logins and is quicker to block than the default rules. The other looks for questionable smtp submissions - being anything that disconnects after 0 logins (“auth=0/1”), or anything that drops the connection after the EHLO).

sendalert · November 2, 2022, 5:25am

I like to implement geolocation base ssh logins on all my boxes to restrict ssh access.

For boxes that requires additional security, I use cloud provider firewall to limit ssh access by IP address. ( You can also add/remove IP addresses using API so you can have access on the go with dynamic ip )

It works very well so far.