Contents
1. SSH Service Security Settings
The SSH service allows the root user to log in by default, and since the root user already knows the user name and can log in to the server with administrative privileges once the password is known, we will deny this setting.
1.1 Creating a General User
If you have created a general user when installing Ubuntu 23, this procedure is not necessary.
If you have already created a user at the time of OS installation, this procedure is not necessary. If you have already created a user during OS installation, this procedure is not necessary.
If you have already created a user during OS installation, this procedure is not necessary. The "-m" option creates a home directory and the "-p" option specifies the password.
For example, to set "ubuntuuser" as the user account name and "123456" as the password, execute as follows
|
1 |
# useradd -m -p 123456 ubuntuuser |
1.2 SSH service configuration file changes
To change the SSH service settings, modify the configuration file, which is located in "/etc/ssh/sshd_config".
This time, we will change the default SSH port 22 to 2244.
|
1 |
# vi /etc/ssh/sshd_config |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value.Include /etc/ssh/sshd_config.d/*.conf #Port 22 Port 2244 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress ::#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key# Ciphers and keying #RekeyLimit default none# Logging #SyslogFacility AUTH #LogLevel INFO# Authentication:#LoginGraceTime 2m PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10#PubkeyAuthentication yes |
Add ssh connection port 2244 on line 18
#port 22
Port 2244
#Uncomment line 20 #ListenAddress 0.0.0.0
#Change the "PermitRootLogin prohibit-password" parameter, which is found near line 37. The parameter "prohibit-password" means to disable password authentication for root.
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
↓ Remove comment out #.
PermitRootLogin prohibit-password
Restart SSH service
|
1 |
# systemctl restart ssh |
As it is, SSH connection cannot be made again, so the next firewall allows SSH port 2244, which has been changed
In Ubuntu 22.04 I could connect remotely by opening port 2244 in the firewall, but in Ubuntu 23.04 it does not work, so I edited the following file
|
1 2 3 4 |
# vi /lib/systemd/system/ssh.socket Change the next parameter on line 7 to the selected port (e.g. 2244) ListenStream=2244 |
Reload the daemon
|
1 |
# systemctl daemon-reload |
Restart SSH service
|
1 |
# systemctl restart ssh |
Now I can connect remotely from Windows with Teraterm, etc. The specification seems to have changed in Ubuntu 23.
2. Firewall Settings
Ubuntu often uses software called "ufw" to configure the firewall
UFW is installed when the OS is installed.
Here are the steps to configure minimal filter settings after installation.
Filter rules to be configured with ufw
-Deny all packets forwarded to the server
-Allow all packets sent from the server to the outside
-The first port allowed is the port for SSH (2244)
-Restrict packets coming into the server
2.1 Check ufw package
Check installed packages with the "dpkg" command to display packages
|
1 2 |
# dpkg -l | grep ufw ii ufw 0.36.1-4.1ubuntu0.1 all program for managing a Netfilter firewall |
Installed "ufw packages" are displayed.
Run "systemctl status" command to check the status of ufw
|
1 2 3 4 5 6 7 8 9 10 |
# systemctl status ufw ● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; preset: enabled) Active: active (exited) since Sun 2023-10-01 20:51:44 JST; 6h left Docs: man:ufw(8) Main PID: 585 (code=exited, status=0/SUCCESS) CPU: 5ms Oct 01 20:51:44 lepard systemd[1]: Starting ufw.service - Uncomplicated firewall... Oct 01 20:51:44 lepard systemd[1]: Finished ufw.service - Uncomplicated firewall. |
You can confirm that the ufw service is running by seeing "Active: inactive (exited)".
Enable ufw.
|
1 2 3 |
# systemctl enable ufw Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable ufw |
|
1 2 3 |
# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? Y Firewall is active and enabled on system startup |
2.2 Basic firewall rule configuration
When ufw is enabled, default firewall rules are applied. If you enable it as is, you may lose communication with the server, so set basic rules before enabling ufw.
2.2.1 Incoming packets Default rule settings
First, set the rules for incoming packets. The general rule is to deny all incoming packets except for specific communications. Execute "ufw default deny incoming" to basically deny all incoming packets.
|
1 2 3 |
# ufw default deny incoming Default incoming policy changed to 'deny' (be sure to update your rules accordingly) |
2.2.2 Outgoing packets Default rule settings
The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.
|
1 2 3 |
# ufw default allow outgoing Default outgoing policy changed to 'allow' (be sure to update your rules accordingly) |
2.3 Open SSH port
Allow SSH connections. The default SSH port is 22. Allow with the following command
|
1 2 |
# ufw allow ssh # ufw reload |
If you have set your own 2244 port
|
1 2 |
# ufw allow 2244/tcp # ufw reload |
2.4Confirmation of ufw settings
Check the rules configured in the firewall after enabling." ufw status verbose".
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 2244/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 2244/tcp (v6) ALLOW IN Anywhere (v6) |
2.5 Limit packets coming into the server
If you want to "allow communication coming to port number ◯◯" in ufw settings, use the following command
# ufw allow [Port number]/tcp
If you want to "disallow communication coming to port number ◯◯", use the following command
# ufw deny [Port number]/tcp
2.5.1 Do not allow connections from IP addresses that access continuously
Explained using the SSH port 2244 that was just configured as an example
The ssh connection is allowed to communicate to port 2244 because of the change to port 2244.
They will try to gain access to port 2244 by typing in the appropriate password and attempting to match it by chance so that they can log in. This is also called a brute force attack.
Set "Do not allow connections from IP addresses that are accessing consecutively".
|
1 |
# ufw limit 2244 |
This will set the "Do not allow IP addresses with more than 6 connection attempts in a 30 second period" rule.
Confirm the setting. Display as follows.
|
1 2 3 4 5 6 |
# ufw status Status: active To Action From -- ------ ---- 2244 LIMIT Anywhere 2244(v6) 1 LIMIT Anywhere (v6) |
2.5.2 Only allow ssh connections from specific networks
Even with the above settings, the ssh port is still open to the external Internet, so even if you set a limit on the number of connections, it is possible that someone will guess your password and connect to your computer in some way or another, or that a vulnerability attack will be used to connect to your computer.
Therefore, it is recommended that ssh connections be allowed only from internal networks, and that all external ssh connections be disabled.
As an example, there is a host in the local area network with an IP address of "192.168.11.10". Allow ssh connections only from this host. Or, to allow ssh connections only from this network (192.168.11.0/24), type the following command
|
1 2 |
Allow ssh connections from 192.168.11.0/24 # ufw allow from 192.168.11.0/24 to any port 2244 |
|
1 2 |
Allow ssh connections from 192.168.11.10 # ufw allow from 192.168.11.10 to any port 2244 |
If you check the settings, you will see that
|
1 2 3 4 5 6 7 8 |
Result of allowing ssh connections from 192.168.11.0/24 # ufw status Status: active To Action From -- ------ ---- 2244 LIMIT Anywhere 2244 ALLOW 192.168.11.0/24 2244 (v6) LIMIT Anywhere (v6) |
Delete the rule with LIMIT. View the rule number and confirm the setting.
|
1 2 3 4 5 6 7 8 |
Result of allowing ssh connections from 192.168.11.0/24 # ufw status numbered Status: active To Action From -- ------ ---- [ 1] 2244 LIMIT IN Anywhere [ 2] 2244 ALLOW IN 192.168.11.0/24 [ 3] 2244 (v6) LIMIT IN Anywhere (v6) |
Delete rule 1 by specifying its number.
|
1 2 3 4 5 |
# ufw delete 1 Deleting: limit 2244 Proceed with operation (y|n)? y Rule deleted |
2.5.3 Opening of the web and other services
You can allow connections by specifying a port number, or you can specify an application.
You can see a list of applications with the following command.
|
1 |
# vi /etc/services |
For example, to enable http and https for web services
|
1 2 3 4 5 6 7 |
# ufw allow http Rule added Rule added (v6) # ufw allow https Rule added Rule added (v6) # ufw reload |
2.5.4 Disable ipv6 ufw
|
1 2 |
# vi /etc/default/ufw IPV6=yes → IPV6=no change |
Restart the firewall after all work
|
1 |
# systemctl restart ufw |