From f1a6853813fde1fd9b4784b73190269cc7f82cb3 Mon Sep 17 00:00:00 2001 From: KΓ©vin Le Gouguec Date: Sun, 19 Jan 2025 15:05:45 +0100 Subject: Touch up VPS s e c u r i t y notes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://lobste.rs/s/gvo8fy/thoughts_on_having_ssh_allow_password I feel seen πŸ™ˆ --- guides/sysadmin/cloud/vps.org | 42 ++++++++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/guides/sysadmin/cloud/vps.org b/guides/sysadmin/cloud/vps.org index 317cb27..d7b9b5a 100644 --- a/guides/sysadmin/cloud/vps.org +++ b/guides/sysadmin/cloud/vps.org @@ -1,39 +1,45 @@ * Security -** Switch APT to HTTPS +** APT +*** Switch to HTTPS ~sudo sed -i 's/http:/https:/' /etc/apt/sources.list~ Granted, the repository signature provides enough protection; still, no sense in wasting bandwidth and CPU if someone is meddling. -** Tweak root access -On OVH's Debian image: -- The =root= account has no password. -- =PermitRootLogin= defaults to =prohibit-password=: set it to =no=. -** Enable fail2ban +** fail2ban ~lastb~ says there's about 4000 login attempts per day; that makes =/var/log/btmp= much bigger than it needs to be. Debian's fail2ban comes with a jail for ~sshd~, so it's just a matter of ~apt install fail2ban~. -** Tweak user accounts -=debian= seems mildly popular among bots looking for valid usernames. +** Accounts +*** =root= +On OVH's Debian image: +- The =root= account has no password. +- =PermitRootLogin= defaults to =prohibit-password=: set it to =no=. +*** =debian= +Seems popular among bots looking for valid usernames. -Ideally I'd just rename the =debian= account, but renaming does not -seem to be a very well-defined operation: ~usermod --login $name ---move-home --home /home/$name debian~ gets partway there, but leaves -a bunch of miscellany to take care of (e.g. sudoers). +Ideally I'd just rename the =debian= account, but renaming is not a +well-defined operation: ~usermod --login $name --move-home --home +/home/$name debian~ gets partway there, but leaves a bunch of +miscellany to take care of (e.g. sudoers). -So instead, I'll -- create my own user account: ~sudo adduser $name~ +So instead, +- create my own user account: ~sudo adduser π“Š~ - add it to all groups =debian= belongs to: #+begin_src sh groups=$(groups | tr ' ' '\n' | grep -v debian | paste -sd,) - sudo usermod --append --groups ${groups} ${name} + sudo usermod --append --groups ${groups} π“Š + #+end_src +- only allow authentication over SSH for this user: + #+begin_src conf + AllowUsers π“Š #+end_src -- only allow password authentication over SSH for this new user - account: +- in case I ever change my mind about =AllowUsers=, at least limit + password authentication to this user: #+begin_src conf PasswordAuthentication no - Match User … + Match User π“Š PasswordAuthentication yes #+end_src -- cgit v1.2.3