Securing the LXD host
In this guide we will cover some basic steps to secure the host.
Setup SSH Keys
Create a key pair which will be used for authentication and upload the public key to the LXD host.
$ ssh-keygen -t ecdsa -b 521 $ ssh-copy-id email@example.com $ ssh firstname.lastname@example.org
Disable root login, change the SSH port and enable public key authentication.
Open the SSH server configuration file
$ sudo vi /etc/ssh/sshd_config
Set the following settings, change port
2222 to something that you perfer, ensuring that the port
does not clash with something else, usually < 1024 are reserved, so probably pick a number between
port 2222 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes
Check that the config is correct.
$ sudo sshd -t
Restart the SSH server.
$ sudo systemctl restart sshd
Without logging out, from another terminal window try logging in using the public key and new port number to ensure it is all working correctly.
$ ssh -p 2222 email@example.com
Check that only public keys are accepted
$ ssh -p 2222 firstname.lastname@example.org email@example.com: Permission denied (publickey).
Setup a firewall (IP Tables)
Here we are going to configure the firewall to block all traffic, and then create a rule to allow SSH traffic and restrict external traffic to the nuber control panel from a trusted IP address.
Look up your internet device name, and replace
eth0 with that. You can run
ip a to find out what your device is called, it will be next to the main IP address.
eth0 with your device name, the port number
3000 with the port that you installed nuber on and
188.8.131.52 with the IP address that you will access nuber from.
$ sudo iptables -A INPUT -i eth0 -p tcp --dport 3000 -s 184.108.40.206 -j ACCEPT
Now lets create a rule to allow all traffic for
eth0 and the port number
2222 if required.
$ sudo iptables -A INPUT -i eth0 -p tcp --dport 2222 -j ACCEPT
Now run the following to block all external new traffic and save then save those rules.
$ sudo iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT $ sudo iptables -A INPUT -i eth0 -j REJECT $ sudo iptables-save
You can see the rules that have been configured.
$ sudo iptables -S
From a different console window check that you can still SSH in before continuning.
Test that the nuber control panel has been locked down, from a different IP address run the following command and replacing the host IP address and port number.
$ curl https://220.127.116.11:3000/login curl: (7) Failed to connect to 18.104.22.168 port 3000: Connection refused
From your current IP address in your browser check you can access it
When the server is rebooted IP Tables rules will need to be set again, to have this done automatically you can install the following package
$ sudo apt install iptables-persistent
yes when it asks you to save the current rules. Test that you can still login via SSH from another console window, then run
You can also run a port scan to see which ports are open. We will use
nmap with special options due to the firewall, if not it will just hang.
$ sudo nmap -sS -T4 22.214.171.124
Here we will setup fail2ban, so any IP addresses that try excess SSH logins will be banned.
$ sudo apt install fail2ban -y
Create the local jail configuration file
$ sudo vi /etc/fail2ban/jail.local
Add the following which will ignore local ip addresses and ban people for 24 hours.
[DEFAULT] ignoreip = 127.0.0.1/8 # Ban for 24 hours (24 * 3600) bantime = 86400 findtime = 600 banaction = iptables-multiport
Edit the SSHD jail configuration
$ sudo vi /etc/fail2ban/jail.d/sshd.conf
Set the following settings, remember to make sure that the SSH port number matches your configured port
[sshd] enabled = true port = 2222 mode = aggressive maxretry = 4
Restart and check all is running OK
$ sudo systemctl restart fail2ban
To check the status of the JAILs
$ sudo fail2ban-client status $ sudo fail2ban-client status sshd
From another server (not from home address) do a sanity check to see if you get banned
Run this command 4 times and you should get banned
$ ssh -p 2222 firstname.lastname@example.org
You can then unban an ip address like this
$ sudo fail2ban-client set sshd unbanip 126.96.36.199