Colab Fellowship - Week 1 Project
talk2felly
CoLab is an innovation hub and a collaborative community for startups, innovators, creatives and entrepreneurs. They are on a mission to develop top-class tech talent in Africa.
The Colab Fellowship is a 6-month programme designed to assist fellows in building genuine projects, enhancing their portfolio, and connecting with job opportunities. As a cybersecurity Fellow, I intend to document my projects here.
Project Question
Harden a Linux server by
■ Enforcing password policies
■ Disabling root SSH login
■ Configuring fail2ban for brute-force protection
This project aims to help me demonstrate basic Linux server hardening skills and techniques to enhance system security. The goal is to reduce vulnerabilities by enforcing password policies, disabling root SSH login, and configuring fail2ban to protect against brute-force attacks.
- Enforce Password Policies
Password policies are rules established by system administrators to ensure users create strong, secure passwords. These policies help prevent weak passwords that can be easily guessed or cracked by hackers.
Common Password Policy Rules
| Rule | Example Requirement |
| Minimum Length | Passwords must be at least 12 characters |
| Character Complexity | Must include upper/lowercase, number, symbol |
| Password History | Prevent the reuse of the last 5 passwords |
| Expiration Time | Force a password change every 90 days |
| Lockout Policy | Lock the account after 5 failed attempts |
| Delay Policy | Add a delay between failed attempts |
Disable Root SSH login
What is SSH?
SSH or Secure Shell is a network communication protocol that enables two computers to
communicate and share data. An inherent feature of SSH is that the communication between the
two computers is encrypted, meaning that it is suitable for use on insecure networks.
SSH is often used to "login" and perform operations on remote computers, but may also be used
to transfer data.
Before I disable the root SSH login, another user has to exist on my Linux.
As a user that is not root, the first step is to switch to the root user. The image above shows that I am now a root user.
Edit the SSH config file:
I enjoy using the Nano text editor. I edited the config file using Nano by typing this command in my command line: nano /etc/ssh/sshd_config
Find and change:
Next, I will find the Root login permission and change the permission from Yes to No.
From the above screenshot, I not only changed the root login permission to password before login, but I also added a login grace time of 2 minutes.
Restart SSH
After changing the permission, I have to restart SSH for the permission to take effect.
From the image above, I also checked the status of my SSH after restarting it. The SSH is actively running.
3. Install and Configure Fail2Ban
Fail2Ban protects servers from brute-force attacks by blocking IPs after repeated failed login attempts.
First, I checked if I have Fail2ban already installed in my machine by running this command: sudo systemctl status fail2ban
From the image above, I do not have fail2ban installed on my machine.
Install fail2ban
I will install fail2ban on my machine by using this command - sudo apt install fail2ban. However, before installing fail2ban, I had to update and upgrade my apt packages.
To proceed with installing fail2ban, I updated and upgraded my apt packages by running this command: sudo apt update && sudo apt upgrade
Now, back to install Fail2ban
Create a local config file to override defaults:
I will go ahead to create a local configuration file by using this command:
sudo cp /etc/fail2ban/jail.local.
Let me break this down step by step.
Navigated into the etc/ directory by using this command: cd etc/
Inside the etc/ directory you’d find fail2ban there. You can list the content of the directory by using the ls command.
Now, navigate to the fail2ban folders by typing: cd fail2ban, there you’ll see a file called Jail.conf, now copy that file to a location you’d name jail.local by using this command.
sudo cp jail.conf jail.localNext, use the nano text editor to edit the jail.local file using this command: sudo nano jail.local
sudo nano jail.local
- In the
[sshd]section, ensure it’s enabled and customise:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
- Start and enable fail2ban using the following command:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
- Check the status of your fail2ban to ensure it’s actively running:
sudo fail2ban-client status sshd
Unfortunately, I couldn’t share my screen because my Linux suddenly could not connect to the internet.
I tried troubleshooting this for almost two weeks, unfortunately, I still have not gotten a headstart.
- My NetworkManager is actively running.
- Eth0 is up and running, and has an active Ip
When I tried to install anything, I kept getting error messages. Couldn’t install Fail2ban. The previous screenshot I sent on installing fail2ban failed at the final installation.
Someone said it’s a hardware issue. I have changed routers, changed ISP, checked my firewall settings… I am yet to troubleshoot, and I am behind the deadline on this project.
We may not all have everything figured out. That’s life!. On this matter, I will certainly run to my community for help.
I enjoyed doing this.
Looking forward to the week two project.
Subscribe to my newsletter
Read articles from talk2felly directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
talk2felly
talk2felly
Cybersecurity Analyst// SecOps//Technical Writer//