A lot of the commands listed here can also be found in the official SMOKE Witness PDF. I want to explain further why these steps are needed since I see many people running Linux servers in a very insecure way.
Please do not add
$ into the commands. That was added to show you running as the root user.
Update and Upgrade
First make sure to check for updates and upgrade your server. You may think this is unnecessary since you just installed Linux but there may some packages (applications) that need the latest version.
apt-get update && apt-get upgrade
Install a Firewall:
Why? This allows you to close off all the ports your server does not need to run. By doing this you lower the chance that an attacker finds a way into your witness to destroy it or steal you keys. UFW is the easiest to use and I am glad to see the official Witness document using this firewall tool.
- Install UFW
# apt-get install ufw
- Allow SSH and deny HTTP services
# ufw allow ssh
# ufw deny httpthis blocks all incoming traffic from a web browser. You may also deny https.
- Set default to block incoming and allow outgoing traffic.
# ufw default deny incoming
# ufw default allow outgoing
- Prevent brute force password attacks:
# ufw limit OpenSSH
- Enable firewall
# ufw enable
- Check the status of the firewall
# ufw status verbose
Something I tend to do is change the SSH port from the default to something above 10,000. The reason is to add entropy to an attackers attempt. If you choose to do this make sure you do not forget the port number or you will lock yourself out. The only difference to the steps above is step 3:
# ufw deny ssh
# ufw deny http
# ufw allow port_number
where port_number is the number you chose.
After you run through those six steps it is a good idea to open another terminal (or putty session on Windows) and login a second time to make sure you are still able to gain access. If you can not use the original session to make changes. The last thing you want is to be locked out of the server you just bought.
Create a New User:
Now you need to create a new user. This adds much more security to your witness server by limiting the amount of actions the user can run without a password. That way if someone does get in by an exploit they will have minimal access and thus can cause minimal damage. Having two accounts will also allow you to log in as Root if an attack happens to clean up the mess.
- Create user (the -m creates home directory for new user)
# adduser -m new_username
- Add your new_username to the SUDO group
# usermod -a -G sudo new_username
- Create a password for the new user:
# passwd new_user
The official document has a few extra steps here that I do not do. I do not think creating an admin group that has root access is needed since the user we create has SUDO access. This is just my opinion, so feel free to follow the official document.
After you create the new user open a new terminal (or putty) session and log in to make sure you set everything up correctly and that the password works. If there are any issues use the original Root session to make changes.
Change Root Password:
Trust no one. Even your hosting service.
As Root run the following.
Disable Root Login:
Do this after you verified that you can log in with the new user you created. This will help a lot and you can still use Root if needed by running
su in the console.
- Open the file
sshd_configas sudo it's in (
- Change "PermitRootLogin" to no.
Now that everything is set and working for the new user we will use that user from here on out.
Update Your Shared Memory:
$ sudo nano /etc/fstab
- At the bottom add:
$ tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
- Save the file.
$ sudo reboot now
The official document has some other steps that you can do to further increase security for you SMOKE witness. What I shared here is the most important parts in my opinion for any Linux server not just witness servers. To get the official document, head over to the smoke.io discord server and click the pin under the "smoke-witnesses" chat.
If you have any questions please feel free to ask either in the comments below or DM me on Discord.
Go to https://smoke.io/~witnesses
jrswabin the box at the bottom.