# Locking Down SSHd

On your Cloud - Remote Server - Ubuntu or Debian:
# SSH or Login to console....

If you are new to Linux guides, you type in the part after the "$", however this guide is for
more experienced Linux Admin users.

Beware:: This toturial is for a NEW Server setups with nothing on them yet!
It is possible to lock your self out of the server if done wrong!

# If not root, yet, then become it...
Remote-SERVER$  sudo -i

For a website setup, we will create some new User Accounts:

Now lets add our Web Dev + Admin? / Admin User, change the names to a hard to guess lastname!

You'll want to limit the number of users and grant only permissions needed for job title...

Be sure to substitute DevGuy with a good account name, throughtout this tutorial!
Remote-SERVER$  adduser DevGuy

Now make them a member of the group www-data:
Remote-SERVER$  usermod -aG www-data DevGuy

Now give them sudoers power, ONLY, if they need it?! Are they in DevOPs and need to install things as ROOT??:
Remote-SERVER$  usermod -aG sudo DevGuy


Now make your admin guy, be sure to make up a secure username in the next steps:
Be sure to substitute AdminGuy with a good account name, throughtout this tutorial!
Remote-SERVER$  adduser AdminGUY

Now give them sudoers group membership power:
Remote-SERVER$  usermod -aG sudo AdminGuy

--=-=--     You may add a few more as needed......
Becareful with the above commands...don't give away too much Power....if so remove the un-needed groups:
To see what groups a user belongs to do, groups theUserNameHere:
Remote-SERVER$  groups DevGuy

If you meant to give www-data group membership ONLY, you may revoke "sudo" group membership at any time, as root, for example: 
  deluser DevGuy sudo       OR     gpasswd -d DevGuy sudo

======Onwards then =======

Lets make a nice login Security Banner:
Remote-SERVER$  nano /etc/banner.txt

This computer system is the private property of its owner, whether
individual, corporate or government.  It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials.  Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.


Press ctrl+x to Save and Exit. Y to save. Enter to the default filename...

Rename old banners, called issue..., if they exist:
Remote-SERVER$  mv /etc/issue.net /etc/issue.net.old
Remote-SERVER$  mv /etc/issue /etc/issue.old

Now lets make some symbolic links to this banner, so they can be seen:
Remote-SERVER$  ln -s /etc/banner.txt /etc/issue.net
Remote-SERVER$  ln -s /etc/banner.txt /etc/issue

On your Local Developer's Computer:

#	If you have no SSH Keys, yet then do the following to make one:
#	Note: it will be a extra layer of security to add a password to your key file, though annoying...
#	it would be worth it in case someone gains access to copy your keys!

Dev-Local-PC$  mkdir ~/.ssh
Dev-Local-PC$  chmod 700 ~/.ssh
Dev-Local-PC$  ssh-keygen -f ~/.ssh/DevGuy -t rsa -b 4096
Dev-Local-PC$  mv ~/.ssh/DevGuy ~/.ssh/DevGuy.private

#	How to copy your Key to the Server:
Dev-Local-PC$  ssh-copy-id -i ~/.ssh/DevGuy.pub DevGuy@ServerHostIPHere

#   If ssh-copy-id failed....only then do:

Dev-Local-PC$  scp ~/.ssh/DevGuy.pub root@ServerHostIPHere:/root/DevGuy.pub
Dev-Local-PC$  ssh root@ServerHostIPHere

#  Now on the server as root, we'll fix the ssh-copy...

Remote-SERVER$  mkdir /home/DevGuy/.ssh
Remote-SERVER$  chown DevGuy:DevGuy /home/DevGuy/.ssh
Remote-SERVER$  chmod 700 /home/DevGuy/.ssh
Remote-SERVER$  mv /root/DevGuy.pub /home/DevGuy/.ssh/authorized_keys
Remote-SERVER$  chown DevGuy:DevGuy /home/DevGuy/.ssh/authorized_keys
Remote-SERVER$  chmod 600 /home/DevGuy/.ssh/authorized_keys
Remote-SERVER$  exit
#	How to make it easier to connect to this Server:
Dev-Local-PC$  nano ~/.ssh/config
Add to the file:

Host mySERVERNameHere
    HostName ServerHostIPHere
    Port 2992
    User DevGuy
    IdentityFile ~/.ssh/DevGuy.private
You may add more existing servers by repeating the above block of code and changing the Host(s)/HostName(s)/Port(s)....

For the PC to be able to use these new entries for ssh config file, you'll need to modify sshd on the server, and
the currently running shell must be exited or logged off of, first. We'll modify sshd on the server in a few moments...
Dev-Local-PC$  exit

That's it for the dev....

NOTE: It is criticial, that no one else get a hold of your private keys!!!
Gaurd your private keys, if they are on a USB stick encrypt it with LUKS - (Linux Unified Key Setup), or
something and keep it in a safe box...If anyone gets a hold of it they will be root or www-data on your server/servers!!!

Make sure that your ssh folder and files belong to the owner IE: $ chown DevGuy:DevGuy ~/.ssh
In other words, not belonging to the Root Account or other account name....
In fact if they do not have proper permissions you will be unable to connect to the server until that is fixed.
Your SSH folder, must have read/write/execute for just the owner! EX: $ chmod 700 ~/.ssh
Your private key should be read/write only for the owner. EX: $  chmod 600 ~/.ssh/DevGuy.private

Your public keys are fine to place on any server/pc....

How about setting up the admin's computer:
On your Local Admin's Computer:
#	If you have no SSH Keys, yet then do the following to make one:
Admin-PC$  mkdir ~/.ssh
Admin-PC$  chmod 700 ~/.ssh
Admin-PC$  ssh-keygen -f ~/.ssh/AdminGuy -t rsa -b 4096
Admin-PC$  mv ~/.ssh/AdminGuy ~/.ssh/AdminGuy.private

#	How to copy your Key to the Server:
Admin-PC$  ssh-copy-id -i ~/.ssh/AdminGuy.pub AdminGuy@ServerHostIPHere

#	How to make it easier to connect to this Server:
Admin-PC$  nano ~/.ssh/config

Host mySERVERNameHere
    HostName ServerHostIPHere
    Port 2992
    User AdminGuy
    IdentityFile ~/.ssh/AdminGuy.private

Admin-PC$  exit

Back on the remote Server still as ROOT user, 
its time to increase or lock down security of SSHd:

- If on Ubuntu and no longer need the original sshd config, then Rename it:
- Remote-SERVER$  mv /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

Remote-SERVER$  nano /etc/ssh/sshd_config

Insert the following for Ubuntu, or just modify things in red:

# What ports, IPs and protocols we listen for, Don't use the default of 22! it will get blasted by attackers.
Port 2992
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

# ---- To Block all but the following two users accounts ----

# -- Be sure to rename these accounts with the real accounts you want to use! --
# -- Make sure these accounts EXIST as typed!! as they are the only way in --

# AllowUsers AdminGUY, DevGUY

ClientAliveInterval 300
ClientAliveCountMax 0

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Press ctrl+x to Save and Exit. Y to save. Enter to the default filename...

Remote-SERVER$  sudo service ssh restart

## Install Fail2Ban....

### Setup a firewall:

Allow Limited SSH Access:
Remote-SERVER$  sudo ufw limit 2992/tcp

Allow Web site, if Desired?!:
Remote-SERVER$  sudo ufw allow 80/tcp
Remote-SERVER$  sudo ufw allow 443/tcp

To Review, firewall ports open....: 
Remote-SERVER$  sudo ufw status numbered

If all ports needed are set for your service:
Remote-SERVER$  sudo ufw enable

Install web site, apache2 or nginx or other.... if desired.
On your Local Developer or Admin Computer, its now easy to safely connect to your remote Server:
on-ANY-Local-PC-Setup-with-config-file-for-ssh-client$  ssh mySERVERNameHere