WIP! And partially personal—I link to a private repo.
User account
sudo adduser <username> sudo
SSH
Configure SSH host /etc/ssh/sshd_config.d/custom.conf. Select a custom port for SSH (222 is given as an example)
Port 222
PermitRootLogin no
AllowUsers user1 user2
PasswordAuthentication no
PrintMotd yes
UFW
sudo ufw limit 222/tcp comment "SSH rate limit"
Fail2Ban
sudo apt install fail2ban
# jail.d/01-bantime.conf
[DEFAULT]
maxretry=2
findtime=12d
bantime=6m
bantime.increment = true
# Initial 6 minutes, then 30m, 3h, 6h, 1d6h, 3d, 6d, 12d
bantime.multipliers = 1 5 30 60 300 720 1440 2880
# jail.d/jail.conf
[DEFAULT]
action = %(action_)s
telegram[service=%(__name__)s]
# jail.d/sshd.conf
[sshd]
port = 222
maxretry = 3
# action.d/telegram.conf
# Send a message to telegram.sh bot
[Definition]
actionban = /home/USER/robots/telegram.sh "[HOSTNAME] just banned <ip> (<F-USER>) for <service> after <failures> failures.%0ABan time: <bantime>%0ABan count: <bancount>"
[Init]
service = Unspecified service
May need to set backend to systemd depending on the distro. If this is done on [DEFAULT] be aware that some jails will want normal logs, not journals.
Robots
Install robots from server-setup.