diff options
| author | Kรฉvin Le Gouguec <kevin.legouguec@gmail.com> | 2025-01-19 15:05:45 +0100 |
|---|---|---|
| committer | Kรฉvin Le Gouguec <kevin.legouguec@gmail.com> | 2025-01-19 15:05:45 +0100 |
| commit | f1a6853813fde1fd9b4784b73190269cc7f82cb3 (patch) | |
| tree | cf5bc50b463b686c50fcfbe647b9b0d65c66cdd1 /guides | |
| parent | b1e22d6007297e131d5de0cee06f1d5cafda4e01 (diff) | |
| download | memory-leaks-f1a6853813fde1fd9b4784b73190269cc7f82cb3.tar.xz | |
Touch up VPS s e c u r i t y notes
https://lobste.rs/s/gvo8fy/thoughts_on_having_ssh_allow_password
I feel seen ๐
Diffstat (limited to 'guides')
| -rw-r--r-- | guides/sysadmin/cloud/vps.org | 42 |
1 files changed, 24 insertions, 18 deletions
diff --git a/guides/sysadmin/cloud/vps.org b/guides/sysadmin/cloud/vps.org index 317cb27..d7b9b5a 100644 --- a/guides/sysadmin/cloud/vps.org +++ b/guides/sysadmin/cloud/vps.org @@ -1,39 +1,45 @@ * Security -** Switch APT to HTTPS +** APT +*** Switch to HTTPS ~sudo sed -i 's/http:/https:/' /etc/apt/sources.list~ Granted, the repository signature provides enough protection; still, no sense in wasting bandwidth and CPU if someone is meddling. -** Tweak root access -On OVH's Debian image: -- The =root= account has no password. -- =PermitRootLogin= defaults to =prohibit-password=: set it to =no=. -** Enable fail2ban +** fail2ban ~lastb~ says there's about 4000 login attempts per day; that makes =/var/log/btmp= much bigger than it needs to be. Debian's fail2ban comes with a jail for ~sshd~, so it's just a matter of ~apt install fail2ban~. -** Tweak user accounts -=debian= seems mildly popular among bots looking for valid usernames. +** Accounts +*** =root= +On OVH's Debian image: +- The =root= account has no password. +- =PermitRootLogin= defaults to =prohibit-password=: set it to =no=. +*** =debian= +Seems popular among bots looking for valid usernames. -Ideally I'd just rename the =debian= account, but renaming does not -seem to be a very well-defined operation: ~usermod --login $name ---move-home --home /home/$name debian~ gets partway there, but leaves -a bunch of miscellany to take care of (e.g. sudoers). +Ideally I'd just rename the =debian= account, but renaming is not a +well-defined operation: ~usermod --login $name --move-home --home +/home/$name debian~ gets partway there, but leaves a bunch of +miscellany to take care of (e.g. sudoers). -So instead, I'll -- create my own user account: ~sudo adduser $name~ +So instead, +- create my own user account: ~sudo adduser ๐~ - add it to all groups =debian= belongs to: #+begin_src sh groups=$(groups | tr ' ' '\n' | grep -v debian | paste -sd,) - sudo usermod --append --groups ${groups} ${name} + sudo usermod --append --groups ${groups} ๐ + #+end_src +- only allow authentication over SSH for this user: + #+begin_src conf + AllowUsers ๐ #+end_src -- only allow password authentication over SSH for this new user - account: +- in case I ever change my mind about =AllowUsers=, at least limit + password authentication to this user: #+begin_src conf PasswordAuthentication no - Match User โฆ + Match User ๐ PasswordAuthentication yes #+end_src |