Coti Node Hardening Guide — Part 3
SETUP CANONICAL LIVEPATCH SERVICE
This service will apply critical kernel security fixes to your ubuntu server automatically without the need of you rebooting the server, therefore reducing the downtime of the server so you can stay secure and keep earning COTI.
An article going into more depth here: https://www.omgubuntu.co.uk/2018/04/enable-live-patch-kernel-updates-in-ubuntu-18-04
Go to the following address to get started.
https://auth.livepatch.canonical.comRegister for an account and generate your live patch key via the canonical livepatch portal.
Once you have the live patch key you can run the following command replacing YOURLIVEPATCHKEY with the key they provided to you.
sudo canonical-livepatch enable YOURLIVEPATCHKEYTo check the status you may run
sudo canonical-livepatch status --verboseInstall Fail2ban
Fail2ban is a log file scanner which looks for signs of malicious intent e.g. too many password failures and seeking for exploits.
Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.
apt-get update && apt-get upgrade -ysudo -S apt -y install fail2ban#Create our own copy of the config files to override base filessudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localsudo -S systemctl enable fail2ban
sudo -S systemctl start fail2ban
sudo -S service sshd restart
cd /etc/fail2ban#Create our own copy of jail.local
nano /etc/fail2ban/jail.localNow you will be inside the jail file so we can override settings for sshd.
Although these settings maybe spread out in the file under [sshd] I’m putting them altogether here so you can see them in one place.
[sshd]
enable = true
port = YOUR_SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 60
The End.
