Contents
1. SSH Service Security Settings
The SSH service allows root user login by default.
The root user can log in to the server with administrator privileges if the password is known because the user name is already known.
1.1 Creating a General User
If you have created a general user when installing Ubuntu 22, this procedure is not necessary.
If the only user created on the server is root, remote login via SSH will not be possible, so if a user has not been created during OS installation, a user must be created in advance.
Users can be created with the "useradd" command. The "-m" option creates a home directory and the "-p" option specifies the password.
For example, to set "ubuntuuser" as the user account name and "123456" as the password, execute the following
1.2 SSH service configuration file changes
This time, we will proceed by changing the default SSH port from 22 to 2244.
# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.Include /etc/ssh/sshd_config.d/*.conf#Port 22
Port 2244
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key# Ciphers and keying
#RekeyLimit default none# Logging
#SyslogFacility AUTH
#LogLevel INFO# Authentication:#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10#PubkeyAuthentication yes
#Add ssh connection port 2244 on line 15
# port 22
Port 2244
#Line17 #ListenAddress 0.0.0.0 Comments Unsubscribe
#Change the "PermitRootLogin prohibit-password" parameter, which is found near line 34.
The parameter "inhibit-password" implies that password authentication is disabled for root.
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
↓
PermitRootLogin prohibit-password
Restart SSH service
2. Firewall Settings
Since Ubuntu often uses software called "ufw" to configure firewalls, we will use ufw to configure firewall settings.
ufw is installed when the OS is installed.
Filter rules to be set in ufw
• All packets forwarded to the server are rejected
• All packets sent from the server to the outside are allowed
• The first port to allow is the port for SSH (2244)
• Limit packets coming into the server
2.1 Check ufw package
Confirmation by "dpkg" command
ii ufw 0.36.1-4build1 all program for managing a Netfilter firewall
Run the "systemctl status" command to check the status of ufw
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2022-05-18 08:43:38 JST; 2h 7min ago
Docs: man:ufw(8)
Main PID: 720 (code=exited, status=0/SUCCESS)
CPU: 2ms
You can confirm that the ufw service is running by seeing "Active: inactive (exited)".
Enable ufw.
Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ufw
Firewall is active and enabled on system startup
2.2 Basic firewall rule configuration
When ufw is enabled, default firewall rules are applied. If you enable it as is, you may lose communication with the server, so set up some basic rules before enabling ufw.
2.2.1 Incoming packets Default rule settings
First, set the rules for incoming packets.
The general rule is to reject all incoming packets except for specific communications.
Execute "ufw default deny incoming" to basically deny all incoming packets.
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
2.2.2 Outgoing packets Default rule settings
The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)
2.3 SSH Port Permissions
Configure SSH connection permissions. The default SSH port is 22. Use the following command to set permissions
# ufw reload
If you have set your own 2244 port (e.g.)
# ufw reload
2.4 Confirmation of ufw settings
Check the rules set in the firewall after enabling.
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
2244/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
2244/tcp (v6) ALLOW IN Anywhere (v6)
2.5 Permission to limit packets coming into the server
If you want to "allow communication coming to port number "◯◯" in ufw settings, use the following command
# ufw allow [port number]/tcp
On the other hand, if you want to "disallow communication coming to port number "◯◯", use the following command
# ufw deny [port number]/tcp
2.5.1 Do not allow connections from IP addresses that access continuously
Explained using the SSH port 2244 that was just configured as an example
They will try to gain access to port 2244 by typing in the appropriate password and attempting to match it by chance so that they can log in. This is also called a brute force attack.
As a countermeasure for this, set "Do not allow connections from IP addresses that access continuously". Type the following command
This will set the "do not allow IP addresses with more than 6 connection attempts in a 30 second period" rule.
Verify settings
Status: active
To Action From
-- ------ ----
2244 LIMIT Anywhere
2244(v6) 1 LIMIT Anywhere (v6)
2.5.2 Only allow ssh connections from specific networks
Even with the above settings, the ssh port is open to the external Internet, so even if you set a limit on the number of connections, the password could be guessed in some way and a connection could be made, or a vulnerability could be exploited to gain access.
Therefore, it is recommended that ssh connections be allowed only from internal networks and all external ssh connections be set to not be allowed.
As an example, there is a host in the local area network that is assigned the IP address "192.168.11.10". Allow ssh connections only from this host. Or, to allow ssh connections only from this network (192.168.11.0/24), type the following command
# ufw allow from 192.168.11.0/24 to any port 2244
# ufw allow from 192.168.11.10 to any port 2244
If you check the settings, you will see that
# ufw status
Status: active
To Action From
-- ------ ----
2244 LIMIT Anywhere
2244 ALLOW 192.168.11.0/24
2244 (v6) LIMIT Anywhere (v6)
Delete the rule with LIMIT. View the rule number and confirm the setting.
# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 2244 LIMIT IN Anywhere
[ 2] 2244 ALLOW IN 192.168.11.0/24
[ 3] 2244 (v6) LIMIT IN Anywhere (v6)
Delete rule 1 by specifying its number.
Deleting:
limit 2244
Proceed with operation (y|n)? y
Rule deleted
2.5.3 Permission for web and other services
You can allow connections by specifying a port number, or you can specify an application.
You can see a list of applications with the following command.
For example, to enable http and https for web services
Rule added
Rule added (v6)
# ufw allow https
Rule added
Rule added (v6)
# ufw reload
2.5.4 Disable ipv6 ufw
IPV6=yes → IPV6=no
Restart the firewall after all work