The following are the initial settings after installing Debian 10.
・Security settings for SSH service
・Configuring UFW as a firewall
Contents
1. Security settings for SSH service
The SSH service allows the root user to log in by default, and since the root user already knows the user name and password, he can log in to the server with administrative privileges.
1.1 Creating a general user
If you have created a general user during the installation of Debian, this procedure is not necessary.
If the only user created on the server is root, you will not be able to login remotely via SSH, so if you did not create a user during the OS installation, you will need to create one beforehand. If you have created a user at the time of OS installation, this procedure is not necessary.
To create a user, use the "useradd" command. The "-m" option creates the home directory, and the "-p" option specifies the password.
For example, if you want to set "debianuser" as the user account name and "123456" as the password, execute the command as follows.
|
1 |
# useradd -m -p 123456 debianuser |
1.2 Change the configuration file of SSH service.
To change the SSH service configuration, change the configuration file, which is "/etc/ssh/sshd_config".
|
1 |
# vi /etc/ssh/sshd_config |
Change the "PermitRootLogin prohibit-password" parameter found near line 46 of the configuration file. The parameter "prohibit-password" means that the password authentication will be disabled for root.
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
↓ remove #
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
1.3 Restart the SSH service
|
1 |
# systemctl restart sshd |
The server's authentication log "/var/log/auth.log" also shows that the connection was rejected as follows.
|
1 2 3 |
# vi /var/log/auth.log Oct 31 17:32:51 debian-10 sshd[1422]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.241.10 user=root Oct 31 17:32:54 debian-10 sshd[1422]: Failed password for root from 192.168.241.10 port 50730 ssh2 |
2. Firewall Settings
Since Debian often uses the "ufw" software to configure firewalls, we will configure the firewall settings using ufw.
Since ufw is not installed when you install the OS, you will need to install the ufw package before configuring it. After the installation, we will show you the procedure to configure the minimum filter settings.
Filter rules to be set by ufw
- Deny all packets forwarded to the server
- Allow all packets sent from the server to the outside
- The first port to allow is the port for SSH
- Restrict packets coming into the server
2.1 Install the ufw package
|
1 |
# apt install -y ufw |
2.2 Checking after installing the ufw package
Check the installed packages with the "dpkg" command to display the packages.
|
1 2 |
# dpkg -l | grep ufw ii ufw 0.36-1 all program for managing a Netfilter firewall |
The "ufw package" you installed is now displayed.
Run the command "systemctl status" to check the status of ufw.
|
1 2 3 4 5 |
# systemctl status ufw ● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:ufw(8) |
You can confirm that the ufw service is stopped by the message "Active: inactive (dead)".
2.3 Configuring basic firewall rules
When ufw is enabled, the default firewall rules will be applied. If you enable it as is, you may not be able to communicate with the server, so set the basic rules before enabling ufw.
2.3.1 Incoming packets Setting the default rule
The first step is to set the rules for incoming packets. The general rule is to deny all incoming packets except for specific communications. Execute "ufw default deny incoming" so that all incoming packets are basically denied.
|
1 2 3 |
# ufw default deny incoming Default incoming policy changed to 'deny' (be sure to update your rules accordingly) |
2.3.2 Outgoing Packets Configuring Default Rules
The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.
|
1 2 3 |
# ufw default allow outgoing Default outgoing policy changed to 'allow' (be sure to update your rules accordingly) |
2.4 Enable ufw
Enable ufw auto-start. but you may not be able to connect to SSH remotely, so set the SSH connection permission first. The default SSH port is 22. Set the permission with the following command
|
1 2 |
# ufw allow ssh # ufw reload |
If you have set your own 3000 port (example)
|
1 2 |
# ufw allow 3000/tcp # ufw reload |
Execute the "ufw enable" command.
|
1 2 3 |
# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup |
You will see a confirmation that the SSH connection will be disconnected when the command is executed. Since SSH is allowed by the rule, it will not be disconnected. In this case, enter "y".
2.5 Check ufw settings.
Check the rules configured in the firewall after they are enabled." Execute "ufw status verbose".
|
1 2 3 4 5 6 7 |
# ufw status verbose Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 3000/tcp ALLOW IN Anywhere 3000/tcp (v6) ALLOW IN Anywhere (v6) |
2.6 Allow to limit packets coming into the server
If you want to set ufw to "allow communication to port number ◯◯◯◯◯◯", use the following command
# ufw allow [port number]
On the other hand, if you want to "disallow communication coming to port number ◯◯◯◯," use the following command
# ufw deny [port number]
2.6.1 Do not allow connections from IP addresses that are accessed consecutively.
Let's use SSH port 3000 as an example.
The ssh connection will be allowed to communicate to port 3000 for the change.
If you type in an appropriate password for port 3000, it will try to access the port in succession so that you can log in by accidental match. This is called a brute force attack.
As a countermeasure to this attack, set the "Do not allow connections from IP addresses that are accessed in succession" setting. Type the following command.
|
1 |
# ufw limit 3000 |
This will set the rule "Do not allow IP addresses that have attempted to connect more than 6 times in 30 seconds".
Check the settings. Displayed as follows.
|
1 2 3 4 5 6 |
# ufw status Status: active To Action From -- ------ ---- 3000 LIMIT Anywhere 3000(v6) 1 LIMIT Anywhere (v6) |
2.6.2 Only allow ssh connections from specific networks
Even with the above settings, the ssh port is still open to the external Internet, so even if you set a limit on the number of connections, it is possible that the password will be guessed in some way and the connection will be made, or the connection will be made through a vulnerability attack.
For this reason, you should only allow ssh connections to internal networks, and not allow any external ssh connections.
As an example, in the local area network, there is a host with an IP address of "192.168.11.10". Allow ssh connections only from this host. Or, to allow ssh connections only from this network (192.168.11.0/24), type the following command
Allow ssh connections from 192.168.11.0/24
|
1 |
# ufw allow from 192.168.11.0/24 to any port 3000 |
Allow ssh connections from 192.168.11.10
|
1 |
# ufw allow from 192.168.11.10 to any port 3000 |
Check the settings.
Results when ssh connections from 192.168.11.0/24 are allowed
|
1 2 3 4 5 6 7 |
# ufw status Status: active To Action From -- ------ ---- 3000 LIMIT Anywhere 3000 ALLOW 192.168.11.0/24 3000 (v6) LIMIT Anywhere (v6) |
Deletes the rule with LIMIT on it. Display the rule number to confirm the setting.
Results when ssh connections from 192.168.11.0/24 are allowed
|
1 2 3 4 5 6 7 |
# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 3000 LIMIT IN Anywhere [ 2] 3000 ALLOW IN 192.168.11.0/24 [ 3] 3000 (v6) LIMIT IN Anywhere (v6) |
Delete rules 1 and 3 by specifying the number.
Results when ssh connections from 192.168.11.0/24 are allowed
|
1 2 3 4 5 |
# ufw delete 1 Deleting: limit 3000 Proceed with operation (y|n)? y Rule deleted |
Similarly, delete rule 3.
2.6.3 Permission for web and other services
You can specify a port number to allow connections, or you can specify an application.
You can see the list of applications with the following command.
|
1 |
# vi /etc/services |
|
1 2 3 4 5 6 |
# ufw allow http Rule added Rule added (v6) # ufw allow https Rule added Rule added (v6) |
2.6.4 Disable ufw for ipv6
|
1 2 3 |
# vi /etc/default/ufw IPV6=yes → IPV6=no rewrite |
|
1 |
# systemctl restart ufw |