Since I started my homelab journey, I have always been concerned to not expose my internal network and services. Over the past year or so, I have been self hosting and exposing some services. I have never been more worried. Today we are going to touch some important tips to secure your network and Ubuntu servers to prevent any unwanted visitors from snooping through your servers or network. In this post, I will walk over some tips for securing your network, your Linux server SSH connections using an SSH keys, firewall rules and steps to maintain your servers. So let's dive right into this!

Securing your network

Your network is the core of your infrastructure. Not having a proper segmentation regardless of the size of your lab can open the possibilities for any thread actor from accessing your servers, and personal devices. It sure took me a minute to understand VLANs and how I can use them to prevent one virtual network from accessing another segment of my network. I highly suggest you separate your network into segments utilizing VLANs. As an example you can separate your IoT devices(practically most personal devices), your Servers, any storage units (mostly NAS), and an External network (this is what we call the DMZ network). Having a visual of the different segments will help you understand how you want your devices access one another. This is just a suggestion and I highly encourage you to dive more into the intricacies of properly securing your network as I am no network expert with some knowledge of how I want to secure mine.

You would want to restrict your IoT network from accessing most services on your Servers and External network and vice versa. You can then allow certain services in case you have any Media server or any other services. A prime example is when you want to allow a certain service in your Server from accessing your Storage network, then you would create an allow rule from that device in specific to access you specific server. This will help you network remain secure preventing unwanted IoT devices from accessing your other networks. If you want to take this further, you can restrict your IoT network from talking to one another but this could cause issues if you have smart TVs and hubs that rely on mDNS.

Securing your Linux server

I am no expert on this but I sure can give you some tips and recommendations when it comes to securing your Linux servers. Let's talk about how to use an SSH key pair to sign into them, configuring the SSH config, firewall rules and maintaining your Linux server updated.

Secure Shell or SSH is a connection method used for remote management or securely send commands to a remote machine or device. It is without a doubt that this so called secure connection has been exploited in the internet to gain access and do malicious things on those servers or devices. This is why securing your secured remote connection is so important.

When securing your server, it is important that you access them using a specific key pair instead of username and password. Using username and password can open the attack surface for any threat actor. They can easily use a packet sniffer or scanner to detect the data that is being transmitted between key devices. This is why on the previous section we discussed the importance of securing your network and creating multiple layers to it. It is hard to maintain a site secured as it requires multiple layers of security to minimize the attack surface.

Alright enough talking about SSH and some other backgrounds and let's get you to what you came here for, how to setup an SSH key pair to access your Linux server. All linux servers uses the OpenSSH as an SSH service. Most Linux devices will have the OpenSSH commands built into it including Mac OS, that said, steps for Windows may be slightly different but possible.

To create the SSH Key pair, we will need to run the ssh-keygen command on your Linux PC or Mac OS device. this command can use multiple parameters to enhance the keygen. By default ssh-keygen uses an encryption bit size of 2048. This is somewhat secure but you would want to use something stronger than that. so we will run the following line: ssh-keygen -b 4096 .

The way ssh-keygen works, this will create an RSA key with a bit size of 4096. You will then be prompted where would you want to store the key pair. By default this stores in the /.ssh directory of the home folder /home/<USER>/.ssh/ or ~/.ssh/ . At this same step, you will be asked to set a file name, the default is id_ed25519 were ultimately, you can name it anything you want. Keep in mind that this often creates 2 files, id_ed25519 and id_ed25519.pub where the .pub is a public key which is then shared on your remote server and the other file is the key to authenticate your remote session. If the content of the id_ed25519 file changes, you will not be able to authenticate into your remote server until you update the key pair.

After understanding all of this, we can discuss another way of creating a keygen that is a little more advanced. So let's go ahead and create a new key pair but let's specify some parameters first. Running:

ssh-keygen -b 4096 -t RSA/ed25519 -f ~/.ssh/nginx-server-key -C "Comment"

Let's digest this line, the -b parameter sets a bit size of 4096 as stated before, -t sets a type of RSA this can also be set to ed25519 and -f sets the name for the file in a specific location or directory. this creates 2 files, nginx-server-key and nginx-server-key.pub. Lastly, the -C this adds a comment to your key.

After having a bit of an understanding of how the key pair works, let's talk about how to add or copy the proper key to the remote server. For this we use the ssh-copy-id command. You can create as many SSH Keys and move it into the remote server as you want. In order to copy the key using ssh-copy, we will run the following command: ssh-copy-id -i <PATH-TO-KEY> remoteuser@remoteserverIP Similarly to SSHing into your server you can copy the key from a Linux PC or MacOS. To copy an SSH key from Windows, you would use the scp command.

I highly recommend having one SSH key per remote server per user that access it. This is a better way of preventing unknown connections into your servers. This can be a daunting job connecting to multiple servers with multiple SSH keys, but there is a way around this.

Managing multiple SSH connections from your Mac or Linux

I understand that we may have multiple remote Linux servers that we may want to connect to. However, this task doesn't need to be much hard, so let's explore how we can make our remote connections much easier!

Let's create a config file in /etc/ssh/ by running sudo touch /etc/ssh/config then we will modify it using your favorite editor, in my case I use nano, so I am running sudo nano /etc/ssh/config and we will enter the following information:

Host <SERVER NAME OR EASY ACCESS NAME>
    HostName <HOST IP>
    IdentityFile <PATH TO SSH KEY>
    User <USER>
    Port <PORT NUMBER>

Mine will look like this:

Host nginx-server
    HostName 192.168.2.100
    IdentityFile ~/.ssh/nginx-server-key
    User abetech
    Port 22

This will allow us to run ssh nginx-server and pass through the host IP, SSH Key, Username and Port without having to type all of those parameters.

Feel free to add as many hosts as you need or you're connecting to, but remember to modify this file if you make any changes to the SSH key or the port in the host server.

Let's secure your SSH connection

After configuring SSH access using an SSH key pair, we need to modify the sshd_config file, which controls certain aspects of your SSH connection. Let’s go over some recommended configurations and why I’m making these changes.

First, let’s edit the sshd_config file by running:
sudo nano /etc/ssh/sshd_config.

Here are the recommended changes:

• Change the port:
  Uncomment #Port 22 and set it to a different port, like 2222 or 5555.
• Disable root login:
  Uncomment PermitRootLogin and set it to no.
• Limit authentication attempts:
  Uncomment MaxAuthTries and set it to 3.
• Limit the number of sessions:
  Uncomment MaxSessions and set it to 3 (or another number based on your needs).
• Disable password authentication:
  Uncomment and set PasswordAuthentication to no and PermitEmptyPasswords to no.
• Disable PAM (Privileged Access Management):
  Set UsePAM to no to remove the login banner.
• Disable forwarding and unnecessary features:
  Disable agent, TCP, and X11 forwarding, and disable MOTD, last login info, user environment, and tunneling. Set:

AllowAgentForwarding no  
AllowTcpForwarding no  
X11Forwarding no  
PrintMotd no  
PrintLastLog no  
PermitUserEnvironment no  
PermitTunnel no  
Banner none

After making these changes, don’t forget to modify the port information in your ~/.ssh/config file if you've changed the port. Finally, restart the SSH service by running: sudo systemctl restart ssh.service.

You can read more about SSH and the sshd_config here.

Configuring the Linux firewall

A firewall is another important component in securing your servers. In Linux, we use the ufw command (Uncomplicated Firewall) to set firewall rules. By default, the firewall is disabled.

First, let’s set some default rules before enabling the firewall:

sudo ufw default deny incoming  
sudo ufw default allow outgoing

Next, check for available applications:
sudo ufw app list.

To allow OpenSSH, run:
sudo ufw allow OpenSSH.

If you’re running Docker containers, you’ll need to allow the different ports. For example, to unlock port 2222:
sudo ufw allow 2222.

Once you’ve made the necessary allow list, enable the firewall:
sudo ufw enable.

If you're running this in a VM, you should be able to restore access to it using the console and disabling the firewall using: sudo ufw disable.

You can read more on Linux firewall on this article from Ubuntu or this other article from DigitalOcean.

Updating your system and maintaining it updated

Let’s talk about maintaining your Linux servers. You should periodically check for updates and make sure your services are up to date. Many users may not be aware that updates include security fixes that can help prevent vulnerabilities.

• Check for updates:
  Run sudo apt update and sudo apt upgrade.
• Install unattended upgrades:
  Install this package with sudo apt install unattended-upgrades, which will automatically apply security patches.
• Use monitoring tools:
  Keep an eye on your server's activity. Tools like netstat, htop, or iftop can help monitor resource usage and network traffic.

If you'd like to read more about auto updates, you can read the Ubuntu article at this link.

Final Remarks

Securing your homelab network and Linux servers doesn't have to an overwhelming task. By taking these steps—segmenting your network, using SSH key pairs, configuring firewall rules, and keeping your systems updated—you'll be well on your way to creating a more secure environment. Remember, security is not a one-time thing but an ongoing process. As your homelab evolves, so should your security measures. Stay vigilant, stay informed, and keep experimenting to make sure your setup is both functional and secure. Happy homelabbing!