If you’re using Ubuntu you can do this by editing
/etc/apt/apt.conf.d/50unattended-upgrades. Running out of date packages with security holes is a good way to get your machine pwnd.
Remove unused software
Every piece of software installed on your system provides one more attack point for malicious users. You should inventory your system and remove anything you don’t need. E.g. to remove Ubuntu One from your system:
sudo apt-get purge ubuntuone*
PermitRootLogin no AllowUsers bmccann nx gitolite
You may also disable password authentication and replace it with public key authentication:
PasswordAuthentication no PubkeyAuthentication yes
Restart the SSH daemon:
sudo service ssh restart
sudo /etc/init.d/ssh restart
This disallows login via password and instead replaces it with login via public/private key pair. To setup your public key encryption run ssh-keygen on the client and put
~/.ssh/id_rsa.pub from the client into
~/.ssh/authorized_keys on server.
Sometimes while messing around with SSH settings, you’ll lock yourself out. I this case it’s nice to use the
-v option with the ssh client.
You can also setup shortcuts in
~/.ssh/config. E.g. the shortcut below turns ssh gitolite into an alias for ssh -l gitolite -p 77777 bensdynamicdns.getmyip.com.
Host gitolite User gitolite Hostname bensdynamicdns.getmyip.com Port 77777 IdentityFile ~/.ssh/id_rsa
If you’d like to setup NX in a secure manner, you can follow these instructions.
- Install fail2ban by running sudo apt-get install fail2ban, which will lockout users who repeatedly try to access your system by guessing passwords.
- Make your own copy of the configuration file: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Check if fail2ban is running properly: sudo fail2ban-client status