diff options
Diffstat (limited to 'guides/sysadmin')
| -rw-r--r-- | guides/sysadmin/cloud/vps.org | 42 |
1 files changed, 24 insertions, 18 deletions
diff --git a/guides/sysadmin/cloud/vps.org b/guides/sysadmin/cloud/vps.org index 317cb27..d7b9b5a 100644 --- a/guides/sysadmin/cloud/vps.org +++ b/guides/sysadmin/cloud/vps.org @@ -1,39 +1,45 @@ * Security -** Switch APT to HTTPS +** APT +*** Switch to HTTPS ~sudo sed -i 's/http:/https:/' /etc/apt/sources.list~ Granted, the repository signature provides enough protection; still, no sense in wasting bandwidth and CPU if someone is meddling. -** Tweak root access -On OVH's Debian image: -- The =root= account has no password. -- =PermitRootLogin= defaults to =prohibit-password=: set it to =no=. -** Enable fail2ban +** fail2ban ~lastb~ says there's about 4000 login attempts per day; that makes =/var/log/btmp= much bigger than it needs to be. Debian's fail2ban comes with a jail for ~sshd~, so it's just a matter of ~apt install fail2ban~. -** Tweak user accounts -=debian= seems mildly popular among bots looking for valid usernames. +** Accounts +*** =root= +On OVH's Debian image: +- The =root= account has no password. +- =PermitRootLogin= defaults to =prohibit-password=: set it to =no=. +*** =debian= +Seems popular among bots looking for valid usernames. -Ideally I'd just rename the =debian= account, but renaming does not -seem to be a very well-defined operation: ~usermod --login $name ---move-home --home /home/$name debian~ gets partway there, but leaves -a bunch of miscellany to take care of (e.g. sudoers). +Ideally I'd just rename the =debian= account, but renaming is not a +well-defined operation: ~usermod --login $name --move-home --home +/home/$name debian~ gets partway there, but leaves a bunch of +miscellany to take care of (e.g. sudoers). -So instead, I'll -- create my own user account: ~sudo adduser $name~ +So instead, +- create my own user account: ~sudo adduser 𝓊~ - add it to all groups =debian= belongs to: #+begin_src sh groups=$(groups | tr ' ' '\n' | grep -v debian | paste -sd,) - sudo usermod --append --groups ${groups} ${name} + sudo usermod --append --groups ${groups} 𝓊 + #+end_src +- only allow authentication over SSH for this user: + #+begin_src conf + AllowUsers 𝓊 #+end_src -- only allow password authentication over SSH for this new user - account: +- in case I ever change my mind about =AllowUsers=, at least limit + password authentication to this user: #+begin_src conf PasswordAuthentication no - Match User … + Match User 𝓊 PasswordAuthentication yes #+end_src |