1. Set the root password and use the SU command
|$ passwd root|
password for <user name> ← Current user’s password
Enter new UNIX password: ← Enter the root password to be set.
Retype new UNIX password: ← Re-enter the same password
passwd: password updated successfully
2. Initial SSH configuration
|$ su –|
# cd /etc/ssh
# vi sshd_config
PermitRootLogin no ← #Disable login as root
3. Setting up SSH key authentication
|#Become an ordinary user and create a key pair with RSA|
$ ssh-keygen -t rsa
Enter file in which to save the key (/home/masa/.ssh/id_rsa):
#Storage location If there are no changes, just enter.
Created directory ‘/home/<user>/.ssh’.Enter passphrase (empty for no passphrase):
#Password setting（Enter, no password）
Enter same passphrase again:
$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys$ chmod 600 ~/.ssh/authorized_keys
After this, use WINSCP or something similar to copy the id_rsa file to an appropriate location in Windows.
|#Rewrite the configuration file to disable password authentication.|
$ su –
# vi /etc/ssh/sshd_config
#Line 56: Make password authentication impossible.
PasswordAuthentication no → PubkeyAuthentication yes
#Restart SSH service
4. Firewalling with UFW
|#Type the following command to see the status of the ufw configuration|
# sudo ufw status
#The ufw setting should be disabled at first, as it is marked as inactive.
#Type the following command to activate ufw once.
# sudo ufw enable
#You may get the following message.
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
# “This may interrupt your current ssh connection. Would you like to continue?” It means “Do you want to continue?”, and it is displayed to users who are connected to the server by ssh connection.
#In my environment, ssh was never disconnected even if I entered y (yes), so I think it is safe to enter y.
# ufw status
#Valid because it is marked as active
#If you type the following command in this state, you should see various settings written to iptables
# iptables -nL
#If you want to disable ufw, type the following command
# ufw disable
|#Disable all communication once by typing the following command|
# ufw default DENY
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)
#This will block all communication from the outside.。(As for the ssh connection that you are currently connected to, it can be disconnected in the middle of the connection.
#Once all communication is blocked, we can decide which services to allow to communicate.
#Even with this setting, the only communication that is disabled is the communication coming from “outside to inside”.
Configure the settings
#If you want to set ufw to “Allow communication coming to port number xxx”, type the following command
# ufw allow [port number]
#On the other hand, if you want to “disallow communication coming to port number ◯◯◯◯,” type the command as follows
# ufw deny [port number]
Allow ssh connections
# Allow ssh connections so that you can connect remotely in the future
#To allow ssh connections, type the following command, assuming the ssh port is set to 5001
# ufw allow 5001
#It will continuously try to access port 5001 by typing in the appropriate password and trying to find a coincidental match so that it can log in.
#As a countermeasure, apply the setting “Do not allow connections from IP addresses that are accessed consecutively”.
# ufw limit 5001
#This will set the rule “Do not allow IP addresses that have attempted to connect more than 6 times in 30 seconds”.
#Check the settings. You should see something like this
# ufw status
#LIMIT (connection restriction) is set for port 5001 of IPv4 and IPv6
|Only allow ssh connections from specific networks|
#Even with the above settings, you are still exposing your ssh port to the outside Internet.
#Therefore, ssh connections should only be allowed on internal networks, and all external ssh connections should not be allowed.
#In the local area network, there is a host with an IP address of “192.168.11.xx”.
#Allow ssh connections from 192.168.11.0/24
# ufw allow from 192.168.11.0/24 to any port 5001
#If you check your settings, you should see something like this
# ufw status
#However, even in this state, it will allow ssh connections from outside with a limited number of connections.
#Therefore, we will remove the rule with the LIMIT
# ufw status numbered
#Since rules 1 and 3 are not needed, we will delete them by specifying their numbers.
# ufw delete 1
#Now that rule #1 has been deleted, delete rule #3 in the same way as above.
Allow access to the web.
#Since our goal is to set up a firewall for the web server, we will allow connections to 80 (HTTP) and 443 (HTTPS).
#You can specify a port number to allow connections, or you can specify an application.
#You can see the list of applications with the following comman。
# vi /etc/services
#Allows HTTP(80) and HTTPS(443) connections.
# ufw allow http
# ufw allow https
#Check your settings and they should look like this
# ufw status
To Action From
#You can now access 80,443 (WEB) from the outside.
Disable ufw for ipv6
# vi /etc/default/ufw
#After all the work