{"id":25834869,"url":"https://github.com/vndg-rdmt/remote-server-secure-setup","last_synced_at":"2026-04-13T09:31:30.216Z","repository":{"id":176649000,"uuid":"659199525","full_name":"vndg-rdmt/remote-server-secure-setup","owner":"vndg-rdmt","description":"Best practise manual for ssh setup on a remote linux server","archived":false,"fork":false,"pushed_at":"2023-06-29T07:10:55.000Z","size":12,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-01T01:00:29.906Z","etag":null,"topics":["debian","linux","secure","server","ssh","system-administration","ubuntu"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vndg-rdmt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-06-27T10:31:48.000Z","updated_at":"2023-10-29T20:00:59.000Z","dependencies_parsed_at":"2023-07-22T13:04:48.186Z","dependency_job_id":null,"html_url":"https://github.com/vndg-rdmt/remote-server-secure-setup","commit_stats":null,"previous_names":["belousov-daniil/remote-server-setup","belousov-daniil/best-practice-linux-secure-ssh-setup","vndg-rdmt/linux-secure-ssh-setup","vndg-rdmt/remote-server-secure-setup"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/vndg-rdmt/remote-server-secure-setup","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vndg-rdmt%2Fremote-server-secure-setup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vndg-rdmt%2Fremote-server-secure-setup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vndg-rdmt%2Fremote-server-secure-setup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vndg-rdmt%2Fremote-server-secure-setup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vndg-rdmt","download_url":"https://codeload.github.com/vndg-rdmt/remote-server-secure-setup/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vndg-rdmt%2Fremote-server-secure-setup/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31746291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T09:16:15.125Z","status":"ssl_error","status_checked_at":"2026-04-13T09:16:05.023Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","linux","secure","server","ssh","system-administration","ubuntu"],"created_at":"2025-03-01T01:00:08.503Z","updated_at":"2026-04-13T09:31:30.212Z","avatar_url":"https://github.com/vndg-rdmt.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Essential SSH setup on a remote Linux machine\n\n    ███████╗███████╗██╗  ██╗\n    ██╔════╝██╔════╝██║  ██║\n    ███████╗███████╗███████║\n    ╚════██║╚════██║██╔══██║\n    ███████║███████║██║  ██║\n    ╚══════╝╚══════╝╚═╝  ╚═╝\n\nFirst server connection\n\n```bash\nssh root@server-ip\n```\n\nTo not enter this each time, just create an alias for your shell like `alias server-name=ssh your-user@your-server-ip` withing config file.\nFor bash by default this file is `~/.bashrc` or `~/.bash_profile`.\n\nAfter that you will be prompted for root password.\nThen, you will be connected to remote server terminal session.\n\nThere is a chance to spawn multipule zombie-sessions due to closing your terminal without exiting remote session or losing a connection to the remote server. If that happens, identify current active sessions and send kill signal to stop them.\n\n```bash\n# Get current active user sessions\nw\n\n# Stop session process by killing it\npkill -9 -t TTY-name\n```\n\n### Change 'default' user\n\nBefore any additional installations and setup you first need to secure your server, preventing\nany unauthorized connections. To do that, create a new user.\n\nWhy? Cause intruder's bots are searching web for any public through the Web and trying to connect\nvia ssh with the `root` user by default at every moment of time. You can lookup at ssh logs \non your server to be sure about this.\n\nTo prevent this, login for a root use must be prohibited, so the intruders or bots would be unable\nto connect to your server automatically or manually, if you choose a non-standart 'default' username.\nSo the first thing you need to do is create a new user with non-standart name and add it to a `sudo` group,\nbecause you will use it as a 'default' user.\n\n```bash\n# Add new user to OS\nsudo adduser user-name\n\n# Add user to OS to sudo group\nsudo usermod -aG sudo user-name\n```\n\nThen, you be prompted for user password and other non-neccesary creditals, which allowed to be skipped.\nExit server with exit command.\n\n### Change ssh policies\n\nNow you need to copy your ssh key to connect to a server without password. Create a ssh key pair,\nif don't have it.\n\n```bash\nssh-copy-id user-name@server-ip\n# Then enter user password\n```\n\nConnect via a new user without password. All you have to do now is change ssh config and reload ssh service.\nOpen `/etc/ssh/sshd_config` with something like `nano` (!with sudo ofc!) and make sure that this lines are exist and not commeted.\n\n```txt\nPasswordAuthentication no\nPermitEmptyPasswords no\nPermitRootLogin no\nChallengeResponseAuthentication no\n```\n\n```bash\n# ssh is a ssh service client/interface\nsudo service ssh restart\n\n# sshd is a ssh service server\nsudo service sshd restart\n```\n\n### Prevent brute-force\n\nThis step is solving by enabling any kind of system daemon which will\nlookup for network suspicious activity on machine and prevent potentials brute-force attacks.\n\nUsing fail2ban for this purpose is highly recomended due its stability and community support,\nit's also very easy to maintain and configure, and you get it ready-to-use out of box.\n\n    ███████╗ █████╗ ██╗██╗     ██████╗ ██████╗  █████╗ ███╗   ██╗\n    ██╔════╝██╔══██╗██║██║     ╚════██╗██╔══██╗██╔══██╗████╗  ██║\n    █████╗  ███████║██║██║      █████╔╝██████╔╝███████║██╔██╗ ██║\n    ██╔══╝  ██╔══██║██║██║     ██╔═══╝ ██╔══██╗██╔══██║██║╚██╗██║\n    ██║     ██║  ██║██║███████╗███████╗██████╔╝██║  ██║██║ ╚████║\n    ╚═╝     ╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═══╝\n\n\u003e *Daemon to ban hosts that cause multiple authentication errors*\n\u003e [Official website](https://www.fail2ban.org/) - [Github](https://github.com/fail2ban/fail2ban)\n\n\n```bash\n# Installation\nsudo apt install fail2ban\n```\n\nAlthough it comes preconfigured through `/etc/fail2ban/jail.conf` and you can configure this tool by changing this file, it's highly not recommended.\nAll configuration must be done with separate .conf files within `/etc/fail2ban/jail.d/` directory, and that's why:\n\n- Secure system - is always a 'fresh' system, so you should/will periodically do something like `apt update`. But, if something comes preconfigured, then it's default files, and so the configuration, can be overwrittenm, changed or removed due to updates, **SO** it not just a problem to recover configuration, but it can turn off security policies on machine, especially when you don't expect this.\n\n- Configuration through one file is not maintain-friendly and it's quite difficult to automate such configurations, cause you will need to implement not just a tool to create/remove/change separate confing files, but also to inspect one large, barely readable file.\n\nConfiguration is done with [INI](https://en.wikipedia.org/wiki/INI_file) config format.\n\nWrite to file: `/etc/fail2ban/jail.d/ssh-service-jail.conf`\n\n```ini\n[ssh]\nenabled = true\nport = ssh\nfindtime = 3600\nmaxretry = 3\nbantime = 86400\nfilter = sshd\nlogpath = /var/log/auth.log\n```\n\nWrite to file: `/etc/fail2ban/jail.d/sshd-service-jail.conf`\n\n```ini\n[sshd]\nenabled = true\nport = ssh\nfindtime = 3600\nmaxretry = 3\nbantime = 86400\nfilter = sshd\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\n```\n\nWrite to file: `/etc/fail2ban/jail.d/defaults-debian.conf`\n\n```ini\n[DEFAULT]\nigonreip = 127.0.0.1\n```\n\n\u003e Do not write findtime, maxretry, bantime to `default` statement, because it may cause different\n\u003e problems, undefined or conflicting behaviour in other services or policies because of the fact that default config\n\u003e probably may contain already enabled policies\n\n```bash\n# Restart service\nsudo systemctl restart fail2ban\n```\n\nUseful commands\n\n```bash\n# Check jails config\nsudo fail2ban-client status\n\n# Check bantime for service - it's a name if brackets you write to .conf file\n# For example for service 'test-123' you should use\nsudo fail2ban-client get test-123 banip --with-time\n\n# Get fail2ban logs\nsudo zgrep 'Ban' /var/log/fail2ban.log*\n```\n\nThat's it, now your server has bare essential secure policy for ssh.\n\n### Additionals\n\nThis repo will also will fill up with some useful scripts to solve daily tasks, like, how do I\nlist all users on my server and etc, that can be associated with repo topic.\n\nUsually, name of a task - name of a script within this repo.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvndg-rdmt%2Fremote-server-secure-setup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvndg-rdmt%2Fremote-server-secure-setup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvndg-rdmt%2Fremote-server-secure-setup/lists"}