Hetzner Server Security: Preparing for Your Ghost Blog Installation

Warning: Read the whole document before making any changes. You can easily lock yourself out of the server when you strengthen it's security.

I'll be using Ubuntu 18.04 for this, but what I want you to pay attention are the concepts and not so much the specific commands. The concepts apply to any linux distribution and version.

I'll be using Hetzner to set up a virtual private server but you can use any VPS you like. Hetzner is only mentioned at the beginning so replace it with your VPS of choice.

Create a project and give it a name that makes sense. It doesn't have to be perfect, Hetzner had the foresight to let you rename it later if the project grows.

Next you'll want to create a server. Go on and click on add server and go through the list. The defaults are safe to keep.

Keep everything as is since we will be adding them later. However, if you already have your SSH keys, you can add them here. Before creating the server change the server name.

Once you are ready click on create and buy now. If you didn't add the SSH keys in this step, you will receive an email with the password.

The first time you log in it will ask you to change the password for root. Choose a good, strong, unique password. If you are using Firefox, it will do a pretty good job but keep in mind that passphrases are better.

Make a note of your IP address, we will use it later.

At the top right you'll see the option to log into the web console. It should be next to the green button that says on. Once you enter the password that you received in the email it will ask you to change the password after you have confirmed for a second time the original password you received.

At this step we will work towards disabling login in as root. We need to create a user with admin privileges to log in to the system.

adduser <user>
usermod -a -G adm <user>
usermod -a -G sudo <user>

When you add the user it will ask you to create a password for that user. On Ubuntu you need to be added to the sudo and adm accounts to be able to become root as required when using the sudo command.

Make sure everything is working by login out and using the user you just created to do some administrative tasks.

sudo apt update && sudo apt upgrade 

Now that we have confirmed it is working we can disable login in as root. There is no reason to keep it since there will be constant attempts from bots to login as root.

sudo usermod -p "!" root

This disables direct login access for root.

Accessing your server using SSH

There are several ways of communicating with your server as we did previously using the web console. However, what you would normally do is use the terminal from your computer to gain access to a server. Over time there have been other protocols used to connect, but the current recommendation is to use SSH, which is the Secure Shell protocol. "It is a cryptographic network protocol for operating network services securely over an unsecured network."

It should already be installed on your machine, so you can start using it by typing.

ssh user@<ip address>

The user will be the username you created for the server, while the IP address will be the one you received in the email. You will also find the IP address in the dashboard when you log into your account.

If you already configured the server with your SSH public key, then you'll need to point to the location of the private part using the -i switch.

ssh -i ~/.ssh/id_rsa user@<ip address>

That is assuming you did not change the name of the identity file.

However, chances are you didn't append your keys. We'll first check to see if you have keys already, and if you don't we will generate a new set.

We are going to set up a pass-wordless SSH login in Linux. What this means is that we are going to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file on the server. Instead of login in supplying a username and password, this key/pair acts as an authentication mechanism.

Should you password protect the keys? It depends on your situation and the general risk you and your machine could be exposed to.

First let's check for an existing key pair. We don't want to overwrite an existing pair by accident. However, if you don't remember having an existing pair, it probably doesn't matter if they get deleted.

ls -al ~/.ssh/id_*.pub

You can use those if you want and skip the next step if that is the case.

We will generate a new 4096 bits SSH key pair

ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"

Pressing enter will accept the default file location, which will be home/yourusername/.ssh/id_rsa. If you ever need to generate a different key you can change the default name, which in this case is id_rsa.

You can check that the SSH keys were generated

ls ~/.ssh/id_*

Now that we have generated a SSH key pair, we need to copy the public key to the server you want to manage and be able to log in without a password.

You should be able to use ssh-copy-id for that.

ssh-copy-id username@<ip address>

You will be asked for the password for the server. Once you have been authenticated the keys will be appended to authorized_keys and the connection will close.

In case the ssh-copy-id utility isn't available on your local machine you can use the following command.

cat ~/.ssh/id_rsa.pub | ssh username@<ip address> "mkdir" -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

You can now login to your server using your keys

ssh user@<ip address>

If all went well we are going to add an extra layer of security by disabling the password authentication. Just make sure you can login into your server with the previous command.

We are going to change a configuration file which is located at /etc/ssh/sshd_config. Search for the following variables and modify them as follows:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePam no

Save the file, restart the SSH service. This disables the ability to connect through SSH using a password. So any attempts to log in with a password will automatically be rejected by the server, thus making it harder to be hacked.

sudo systemctl restart ssh

Install Fail2Ban to scan logs and ban temporarily IPs based on possible malicious activity.

apt-get install fail2ban

Copy the configuration file

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open jail.local and find the spot that starts with [sshd].

[sshd]

enabled = true
port = ssh
logpath = %(sshd_log)s

restart it

service fail2ban restart

You have learned how to create a server and a user to administer that server. We have added a few layers of security by disabling root, login in with a password and using SSH keys as an authentication method instead of supplying a password, and disabling the ability to use a password to log in.

For all purposes this is a solid start and you can consider your server to be secure. There are more measures you can take, and should, like keeping your system up to date. But as I mentioned you should consider your server to be safe.

I won't go through how to set up Ghost blog on the server since the docs explain how to get going. What they fail to mention is how to secure the server.

SOURCES:
These are my notes for the linuxupskillchallange I did several years ago. Everything still works. Thank you snori, RIP.