HARDENING DROPLET

Let's do some cleaning up around the edges before we open our box up to the public. This is not a comprehensive hardening checklist, but the bare minimum I would consider as a decent baseline. This guide assumes you just spawned a new Ubuntu droplet and currently have root access.

Updates

Type the following command and when prompted, provide "y" or "yes" to proceed with updates.

apt update && apt upgrade

Once updates are done, go ahead and reboot the box.

reboot

From your system, you can try pinging the droplet's IP address to see when it becomes available again.

ping IP

Change root password

You can change the password by typing the following command and filling out the prompts.

passwd root

Create new sudo user

It's best practice not to be operating under the root user unless necessary. Learn how to create a new sudo user here.

SSH setup for new sudo user

Now that we have a new user created, lets setup SSH for that user so that we can remove ssh for the root user. For this setup, please make sure you are logged in with your new user with sudo su mynewusername.

You can reference this guide for setting up SSH directories for a new sudo user.

After following the guide, see if you can login with your new user via SSH.

ssh mynewusername@IP

if you run into issues, try to manually provide your private key (not the one that ends in .pub) with the following command:

Linux

ssh -i "/path/to/private/key" mynewusername@IP

Windows

ssh -i "\path\to\private\key" mynewusername@IP

Now, if you password-protected your private key, supply the password and you should now have a user shell on your droplet.

IF you had to provide the new droplet user's password, then we were not able to accurately test public key authentication. Try the following to disable password authentication to make sure you can use public key authentication.

Access the sshd config file

sudo nano /etc/ssh/sshd_config

Find the following line

PasswordAuthentication yes

Change it to

PasswordAuthentication no

Find the following line

PubkeyAuthentication no

Change it to

PubkeyAuthentication yes

If you found a "#" infront of any of the lines, remove it.

Restart sshd

sudo systemctl restart ssh

Retest and see if you can authenticate with your private key. If you still have issues, feel free to join our discord and ask for assistance in the tech-support forum.

SSH hardening

Only perform this step if you have verified that you can authenticate ssh by strictly using your private key and your new username.

We are going to be cleaning up the /etc/ssh/sshd_config file to lock down access to only our new user and only by public key authentication. For the following instructions, for each line if there is a "#" at the beginning, remove it. If you do not see the line at all, you will have to add it.

NOTE: Each line is case-sensitive. Also, make sure that the line isn't already present because duplicate entries may cause conflict or unexpected results.

1. Edit the sshd configuration file.

sudo nano /etc/ssh/sshd_config

2. Allow only your username.

AllowUsers mynewusername

3. Verify password authentication is disabled. (This should have been tested in previous section)

PasswordAuthentication no

4. Disable root login.

PermitRootLogin no

5. Verify public key authentication is enabled. (This should have been tested in previous section)

PubkeyAuthentication yes

6. Disable other authentication methods.

ChallengeResponseAuthentication no
UsePAM no
KerberosAuthentication no
GSSAPIAuthentication no

7. Restart sshd.

sudo systemctl restart ssh

8. Do not disconnect from your current ssh session in case something went wrong. Try to open a new terminal and verify you can still authenticate while keeping your current ssh session alive.

Disable root login

After you have thoroughly tested that you can get in with your new user, we can safely disable root login.

1. Lock the root account.

sudo passwd -l root

2. (OPTIONAL) You can do this after you have finished this guide because you will not be able to use root at all.

sudo usermod -s /sbin/nologin root

If you have to get back into root, you can undo this by doing

sudo usermod -s /bin/bash root

And to get back into root you can do

sudo su

UFW setup

We are going to setup an easy to use firewall called UFW. Im going to just give you an example of setting up UFW to allow SSH and NGINX traffic. You will need to customize this depending on what services you are using and what you want to allow/deny.

1. Install ufw if not already installed.

sudo apt install ufw

2. Install nginx.

sudo apt install nginx

4. Allow ssh.

sudo ufw allow ssh

5. Allow nginx.

sudo ufw allow 'NGINX Full'

6. Enable ufw.

sudo ufw enable

8. Do not disconnect from your SSH session in case something went wrong. This is a good time to open a new terminal and verify you can still connect via SSH.

---

Thanks for reading!

- SH3LL

CONNECT