Securing a node on Linux?

hi there @FINDING_MIAM,

to further clarify this, please replicate the following:

  1. start your instance (from scratch) and associate a security group to it (note that the default security group CANNOT be deleted - nevertheless you can empty it and create new ones);

  2. log on to your server with the given credentials (eg key/ssh port -default 22);

  3. modify /etc/ssh/sshd_config to specify a port you wanno connect to (other than 22);

  4. modify the port for ssh in the security group (eg remove default 22 and put a new custom TCP one with the same number as specified by you in step 3 above);

  5. reconnect to your server to verify that port change has worked for ssh.

After this is done successfully, follow, as mentioned above by @Alexd1985, best practices for hardening your server. A summary can be found on github, here: https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3

After that is done, you can worry about how your relay(s) are going to connect with your BP and the wider network.

Hope this helps,

A

2 Likes

1st attempt, I did what you said except I changed the ssh_config instead of the sshd_config… rookie mistake I guess.
2nd attempt, changed the sshd like you said and fixed the security group so that it only had the custom tcp connection through the specified port number. After exiting and trying to enter, connection was timed out. I changed my local ssh but then it refused.
Sorry I don’t know what I am missing

1 Like

Ok; if you are rockie :))

Watch this movies:

4 Likes

hi @FINDING_MIAM,

apologies for the late reply.

The file you want to modify is sshd_config. This is the daemon configuration file. The ssh_config file is the client and will only be useful if you connect to another ssh host. Also, please remember to restart the ssh service with:

sudo systemctl restart ssh

This might give you a warning about existing ssh connections. You can ignore that, log out and try to log back in to your new port.

Hope this helps, let us know how you go.

Cheers,

A

1 Like

Thank you for the videos these are so clear! What is this public key that he pastes into the authorized keys directory? Is it from my local computer or keys from the server?
Thank you for any help

update
found it: https://www.ssh.com/ssh/keygen/

For your first contact, use the key provided by AWS. You can make one in the console, and any instance in the region will be associated to it.

You can later generate your own, and add it to authorized_keys, test the connection and if it works, delete the original key (the aws one). You can use ssh-keygen to do this. Aws also have a help file to show their interpretation of this process.

Let me know if you have any questions, I am on mobile now, but later I can post some links and code if needed.

Cheers A

ahh so aws is already secure with it pem keys?

so if I understand this right, I could do a keygen and delete the pem keys… Then how would I be able to connect to this instance?

hi @FINDING_MIAM,

this is the link I was talking about:

You can start with that one and see how you go.

mmm, the PEM key generated on AWS, is generated online, and is only as secure as your console is. Or anything online for the matter.

Yes, connect with the old key, and copy the public key to authorized_keys (without deleting the existing entry yet, so you don’t risk locking yourself out). The pem/public key pair you generated offline, with keygen.

Let me know if you have more questions, and good luck.

Cheers A

1 Like

so is there any need to adduser on aws or do I just need to add the public key to ~/.ssh/authorized_keys?

I would suggest that changing user, and deleting the default one, also is best practice.

All these steps decrease the chances of someone knowing user, key and other sensitive information, without even trying (for example, in aws the default user is always ubuntu for ubuntu vms).

PS do these things in steps, rinse and repeat. Once you’re confident you are not locking out, look along this thread and follow all the steps for hardening your machines. Aws is no different, other than they have sg, which may render ufw less useful.

Also, remove root access from all your instances and the console.

PPS please note that authorised_keys and the .ssh dir won’t exist for the new user. So you need to make these first, before copying over your pub.

PPPS for a more comprehensive overview about security, which may give you some ideas for securing instances and console, please watch this video by Charles Hoskinson:

1 Like

I had an issue today with adapools unable see my pool live and realize I misconfigured my FW. You guide here helped a lot. Thank you @ADAfrog !

1 Like