Security

Now, let's talk about security. Security is a crucial aspect of any deployment, especially when you're hosting your own app.

SSH Key Authentication

Using an SSH key to connect to your server is more secure than using a password. It's recommended to use SSH key authentication instead of a password.

Here we will generate an SSH key using Termius, an SSH client.

Generate SSH Key

In Termius, click on the "Settings => Keychain" tab and then click on the "Generate" button on SSH Keys section. Type label and passphrase for the key and click on the "Generate" button.

Save Public Key

After generating the SSH key, save the public key.

Add Public Key to Server

Create a new folder ~/.ssh on the server and add the public key to the ~/.ssh/authorized_keys file.

mkdir ~/.ssh && nano ~/.ssh/authorized_keys

Paste the public key into the authorized_keys file and save it by pressing Ctrl + X, then Y to confirm the changes and Enter to save the file. Press again Enter to exit the editor.

Change chmod for SSH File

Change the permissions for the ~/.ssh/authorized_keys file and restart the SSH service.

chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys && sudo systemctl restart sshd

Test connection to the server

Now try to connect to the server using the SSH key instead of a password.

Make sure you can connect to the server using the SSH key.

Your password is still required to use sudo commands.

Edit Configuration File

To improve security, you have to edit the SSH configuration file and make some changes.

Open the configuration file:

sudo nano /etc/ssh/sshd_config

Change SSH Port

Change the default SSH port from

#Port 22

to a custom port

Port {port}

Avoid using common ports like 22, 2222, etc.

Disable Root Login

Change from:

PermitRootLogin yes

to:

PermitRootLogin no

Disable Password Authentication

Change from:

#PasswordAuthentication yes

to:

PasswordAuthentication no

Save & Restart

After making changes, save the file by pressing Ctrl + X, then Y to confirm the changes and Enter to save the file. Press again Enter to exit the editor.

Restart the SSH service to apply the changes:

sudo systemctl restart sshd

Check if you can connect to the server using the new port and SSH key.

Cloud Config (Optional)

Sometimes when you have cloud providers like Hetzner, they create a 50-cloud-init.conf file that overrides the SSH configuration. You need to remove this file to apply the changes.

sudo rm /etc/ssh/sshd_config.d/50-cloud-init.conf

Check password setting

Check the password settings on the server:

sudo sshd -T | grep passwordauthentication

If the output is PasswordAuthentication no, it means password authentication is disabled.

Fail2Ban

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It works by monitoring the server's logs for malicious activity and blocking the IP addresses of attackers.

sudo apt install fail2ban -y && sudo systemctl enable fail2ban && sudo systemctl start fail2ban && sudo systemctl status fail2ban

This command will install Fail2Ban, enable it to start on boot, start the service, and check the status. If everything is OK, you should see the status as active.

Disable IPv6

If you're not using IPv6, it's recommended to disable it.

ip a | grep inet6

sudo nano /etc/sysctl.conf

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

sudo sysctl -p

Firewall (UFW)

Uncomplicated Firewall (UFW) is a user-friendly frontend for managing iptables firewall rules. It's recommended to use UFW to manage the firewall rules.

sudo apt install ufw -y &&\
  sudo ufw default deny incoming &&\
  sudo ufw default allow outgoing &&\
  sudo ufw allow ssh &&\
  sudo ufw allow 'Nginx Full'

sudo ufw allow {port}

sudo ufw enable && sudo ufw status