Web developers, generally hate messing with sysadmin type of tasks, however you will at some point in your day job or personal projects need to spin up a server instance.

In this guide I will cover some of the basic security essentials you need to ensure your server is relatively secure.

Add an SSH only user with sudo access:

Note: This is a verbose approach just to illustrate all the steps needed.

NEW_SSH_USER=developer
sudo useradd -m -s /bin/bash $NEW_SSH_USER
usermod -aG sudo $NEW_SSH_USER
mkdir -p /home/$NEW_SSH_USER/.ssh
touch /home/$NEW_SSH_USER/.ssh/authorized_keys

# Next copy your pub key to authorised keys
 nano /home/$NEW_SSH_USER/.ssh/authorized_keys

# Next fix permissions
chown -R developer:developer /home/$NEW_SSH_USER
chmod 600 /home/$NEW_SSH_USER/.ssh/authorized_keys
chmod 700 /home/$NEW_SSH_USER/.ssh

Change the default SSH port

This is not really going to hide your SSH port. Since a port lookup can reveal which port you are using for SSH, however nonetheless - it's a good practice to change the default SSH port to at least add some protection against bots.

nano /etc/ssh/sshd_config
# Change Port 22 => Port xyz
sudo service ssh restart

Please test that you can now SSH in with the new username and port before moving on to the next step.

Disable root and password access

nano /etc/sshd_config
# Change PermitRootLogin yes => PermitRootLogin no
# Change PasswordAuthentication yes => PasswordAuthentication no 

# Allow only our newly created user account access
# Add/Change AllowUsers => AllowUsers developer

sudo service ssh restart

Next, install fail2ban - which will monitor SSH connections and block abuse attempts:

sudo apt-get install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo sed -i 's/# ignoreip = 127.0.0.1/ignoreip = 127.0.0.1/; s/# bantime = 10m/bantime = 1h/; s/# findtime = 10m/findtime = 10m/; s/# maxretry = 5/maxretry = 3/' /etc/fail2ban/jail.local

Firewall

On Ubuntu servers: UFW generally comes preinstalled, if not just run "apt install ufw".

Opening ports:

# Everyone
sudo ufw allow 24/tcp

# just your IP
sudo ufw allow from 192.168.2.2 to any port 24

Blocking ports:

# Everyone
sudo ufw deny 24/tcp

# Specific IP
sudo ufw deny from 192.168.1.100 to any port 24

General advice

1. Lock down your servers to a specific IP. You can either use a VPN or some zero trust service.
2. Monitor your: /var/log/syslog from time to time. The firewall and fail2ban will log here - it could be that a particular network or region that's trying to attack your server. You can then block them.
3. Use a network firewall in front. Most hosting companies will provide you with some sort of "cloud firewall". Setting this up will not only secure your server but also limit the amount of traffic that gets to your box.
4. Setup a jumpbox - if you have multiple web servers, db servers and so forth. I strongly advise setting up a VPC or closed network where only the jumpbox has access to these servers. So you cannot directly SSH into them from outside. You can also setup a script to shutdown the Jumpbox at night or something similar. This does introduce a single point of failure, however if you secure it well enough and and use a floating or fixed IP - this should work fine.

Conclusion

This is just a basic rundown to get you started. It is by no means an exhaustible list but hopefully a good start.

If you find server management painful and would prefer an automated tool - please checkout my project: Scriptables.

Scriptables is simply an orchestration tool that takes away the pain of setting up and managing servers.