Server Hardening

Do not understimate the importance of securing your information.

Keeping your system updated is the first line of defense against vulnerabilities.

Enable Unattended Upgrades: Automatically apply security updates.

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Enforce Key-Based Authentication: Disable password logins for stronger security.
```
PasswordAuthentication no
```
Set up SSH Keys (Crucial for Access after Disabling Passwords):
- On your local machine (client computer): Generate an SSH key pair if you don’t already have one. Replace your_email@example.com with your actual email.
```
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
```
  Follow the prompts to save the key (default location is ~/.ssh/id_rsa) and set a strong passphrase.
- Copy your public key to the server: Use ssh-copy-id to securely transfer your public key to the server. Replace pablo with your non-root username and your_server_ip with your server’s IP address or hostname.
```
ssh-copy-id pablo@your_server_ip
```
  If you changed the SSH port, you’ll need to specify it:
```
ssh-copy-id -p 2222 pablo@your_server_ip
```
  This command will create the ~/.ssh/ directory and the authorized_keys file on the server (if they don’t exist) and place your public key inside it.
Restart SSH Service: Apply all changes.
```
sudo systemctl restart sshd
```
Tip: After these changes, immediately test your SSH key login from a new terminal session before closing your current one. This ensures you haven’t locked yourself out.

UFW (Uncomplicated Firewall) helps control network access.

Enable UFW:
```
sudo ufw enable
```
Allow Necessary Incoming Connections: Replace OpenSSH with your custom SSH port if you changed it.
```
sudo ufw allow OpenSSH # or your custom SSH port
sudo ufw allow http
sudo ufw allow https
```
Pro Tip: Consider rate-limiting SSH connections from a single IP to mitigate brute-force attempts before Fail2Ban.
```
sudo ufw limit OpenSSH
```

Set Default Policies:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Check UFW Status: Verify your firewall rules.
```
sudo ufw status verbose
```

Protect against brute-force attacks by temporarily banning malicious IPs.

Install Fail2Ban:
```
sudo apt install fail2ban
```
Configure Fail2Ban for SSH: Create /etc/fail2ban/jail.local with the following content.
```
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
maxretry = 5
```
Note: You can adjust maxretry (number of failed attempts) and add bantime (how long to ban in seconds) and findtime (period over which attempts are counted) for fine-tuning. For example: bantime = 3600 (1 hour) and findtime = 600 (10 minutes).
Restart Fail2Ban: Apply changes.
```
sudo systemctl restart fail2ban
```
Check Fail2Ban Status for SSH:
```
sudo fail2ban-client status sshd
```

Caddy simplifies web serving with automatic HTTPS.

Automatic HTTPS: Caddy handles TLS certificate acquisition and renewal for you.
Run as Limited User: Ensure Caddy runs under a dedicated, limited system user for enhanced security.
Set Permissions for Web Root: Adjust ownership and permissions for your web files. Replace /var/www/html with your actual web root.
```
sudo chown -R caddy:caddy /var/www/html
sudo chmod -R 755 /var/www/html
```

Minimal and Secure Caddyfile: Keep your Caddyfile concise.

pablolebed.dev {
  root * /var/www/html
  file_server
}

Monitor Caddy Logs:
```
journalctl -u caddy -f
```
Tip: After setting up Caddy, enable and start its systemd service with sudo systemctl enable caddy and sudo systemctl start caddy.

Proper user management is fundamental to server security.

Create a Non-Root User with Sudo Privileges: Always use a non-root user for daily tasks. Replace pablo with your desired username.
```
sudo adduser pablo
sudo usermod -aG sudo pablo
```
Disable or Delete Unused Accounts: Remove any accounts that are no longer needed.
Verify Group Memberships:
```
groups pablo
```
Avoid Direct Root Usage: Prefer sudo for administrative tasks instead of logging in as root.