On your PC:
ssh-keygen -t ed25519
ssh-copy-id user@your-serverOn your Linux server:
sudo nano /etc/ssh/sshd_config-
Set:
PermitRootLogin no PasswordAuthentication no
-
Save & restart service
sudo systemctl restart sshsudo apt install ufw
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw enablesudo apt install fail2ban
sudo systemctl enable --now fail2bansudo apt install unattended-upgrades
sudo nano /etc/apt/apt.conf.d/20auto-upgrades-
Add:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades-
Add:
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; }; Unattended-Upgrade::Automatic-Reboot "false";
sudo nano /etc/sysctl.d/99-hardening.conf-
Add:
net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.tcp_syncookies = 1
-
Save & load
sudo sysctl --systemsudo apt install libpam-pwquality
sudo nano /etc/security/pwquality.conf-
Set:
minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1
sudo nano /etc/ssh/sshd_config-
Add:
MaxAuthTries 3 ClientAliveInterval 15 ClientAliveCountMax 3 AllowUsers <yourusername>
-
Save & restart service
sudo systemctl restart sshecho "Unauthorized access is prohibited." | sudo tee /etc/issue.net
sudo nano /etc/ssh/sshd_config-
Add:
Banner /etc/issue.net
-
Save & restart service
sudo systemctl restart sshsudo nano /etc/profile-
Set:
umask 027
sudo ss -tulnp
sudo systemctl list-unit-files --type=service | grep enabled
# Disable unused services, e.g.:
sudo systemctl disable avahi-daemon
sudo systemctl disable cups- CIS Benchmark
- OpenSCAP
- SSH-Audit
- Lynis
- AppArmor/SELinux
- auditd
- rkhunter
- ClamAV