It is not a hard deal to make your server secure, but when a lot of routines comes, It is possible to forget to do this. In my case, ssh server was hacked in two weeks after I bought it. One morning my mail had a couple of the abuses from third-side people said "something" on my server tried to hack their servers. So, I should solve the problem quickly.
and it returns me a list of successful authorization to my server. From the all returned lines I found one IP that is not my own. So, In my case, the SSH was a source of vulnerability. Keep in mind about the command
cat /var/log/auth.log | grep Accepted
It helps to analyze the latest successful connection.
It creates the pairs of keys in the ~/.ssh directory. After that running
will upload your "just created" public key to the server. Next step, log in to the server and edit the config file for sshd:
In the config make changes for PasswordAuthentication variable
This instruction close the possibility to connect with the password (only connection with private key accepted)
next step open only ssh, https port on server so:
apt install ufw fail2ban
and enable the ufw:
ufw allow ssh ufw allow 80 ufw allow 443
Next step is configuring the fail2ban utility
in there find "banaction = " and set ufw as a value. After that reload fail2ban
# make a copy of default config (this copy will overload default params according to manual) cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local
According to this simple config, any three wrong attempts from particular IP get to access to ssh port will ban this IP for 10 minutes. Personally, I changed the ban time for 7 days. How to check the status:
will return in my case
fail2ban-client status sshd
You can see, that one IP already blocked by the firewall. Same things possible to see with ufw report:
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 6 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 126.96.36.199
The fail2ban can be configured to send reports to your email if some IP has been banned.
ufw status Status: active To Action From -- ------ ---- Anywhere REJECT 188.8.131.52 80/tcp ALLOW Anywhere 22 ALLOW Anywhere 443 ALLOW Anywhere