DMW

Duncan Wither

Home	Notes	Github	LinkedIn

General Tips

Some general tips (that I might disagree with) from This Video:

SSH port change is not needed
- The video argues obscurity = meaningless, however its not pointless, so it could still be worthwhile.
Disabling IPv4 or 6 is not needed
Disable Auto-updates
- This is for semi-serious hosting. I’d rather be safe and have the website crash occasionally than hang about manually updating.
Using root on a server is fine, which (through laziness) I already do.

This is another good self hosting guide with security stuff included.

SSH + RSA

Fail2Ban

Fail to ban protects people from brute forcing their way into your server.

To install:

sudo apt-get install fail2ban

The global settings are stored in /etc/fail2ban/jail.conf. It’s poor practice to modify this directly (as updates modify this file) but instead copy it to jail.local and modify it. jail.local will overwrite the jail.conf rules.

Under the [DEFAULT] header¹ here’s some key settings to modify:

Allow local access with the lineignoreip = 127.0.0.1/8.
bantime = 3600 sets the bantime to 1 hour.
maxretry = 3 is how many failed attempts are allowed.
findtime = 3600is the period in which these failed attempts are searched for (1 hour in this case).

More settings can be found in this tutorial.

Then to start banning run:

sudo service fail2ban restart

To see if things are getting banned run:

sudo zgrep 'Ban' /var/log/fail2ban.log*

And pass it into wc -l to see how many bans have occurred.

The [DEFAULT] header is the base rules, individual rules can be made up for different protocols on different ports. But for my server uses, just modifing [DEFAULT] works a treat.↩︎