Start with (as root) apt-get install openssh-server
apt-get install fail2ban
ufw allow OpenSSH
ufw enable
I use the following suffix to the /etc/ssh/sshd_config file: …
72 #
73 # local tweaks
74 #
75 Protocol 2
76 PermitRootLogin no
77 Banner /etc/ssh/banner
78 UseDNS yes
79 MaxStartups 1
80 LoginGraceTime 15
81 PubkeyAuthentication yes
82 PasswordAuthentication no
83 ChallengeResponseAuthentication no
84 X11Forwarding yes
85 AllowTcpForwarding yes
86 DebianBanner no
87 Match Address 192.168.0.0/24,127.0.0.1,192.168.1.0/24
88 PasswordAuthentication yes
Line 82 should be commented out until you have generated an SSH key pair and placed the public key in ~/.ssh/authorized_keys, as it prevents logins using just a password. Lines 87-88 remove this restriction for local nets. Line 77 references a banner that you can provide which is presented upon SSH connection.fail2ban with its default configuration will essentially just block objectionable SSH traffic. If you decide to extend it, create a /etc/fail2ban/jail.local file to supplement the default /etc/fail2ban/jail.conf file (the former augments the latter). As others have mentioned, there are a number of resources available. Do not make all suggestions blindly: some are of questionable efficacy and complexity. ufw will allow precise tuning of iptables. Watch /var/log/ufw.log for entries indicating traffic being dropped, either appropriately or not. Once more services are added (and secured), introduce related rules into ufw one by one. If your system is exposed to the general Internet, be particularly careful with such services' configurations. The above minimal ufw commands will prevent many commonly used network services on the local network, such as CIFS. Some packages install custom ufw application definitions which can be listed with the ufw app list command (e.g., Postfix, Apache). Such applications usually open the services to all, as opposed to the just the local network. |