# HORNET Installation Party ## OpenSSH keys (Windows) putty.org Why ed25519: https://cryptsus.com/blog/how-to-secure-your-ssh-server-with-public-key-elliptic-curve-ed25519-crypto.html Medium article: https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54 ## OpenSSH keys (GNU/Linux, MacOS) `ssh-keygen -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "antonio.nardella@iota.org"` `-a rounds` When saving a private key, this option specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen). `-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa` Specifies the type of key to create. The possible values are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or “rsa”. `-f filename` Specifies the filename of the key file. ## OpenSSH keys Ledger https://thoughts.t37.net/a-step-by-step-guide-to-securing-your-ssh-keys-with-the-ledger-nano-s-92e58c64a005 ## Install HORNET https://github.com/gohornet/hornet/wiki/Tutorials%3A-Linux%3A-Install-HORNET ### Steps #### Update and upgrade system `apt update && apt upgrade` #### Add GPG keys `wget -qO - https://ppa.hornet.zone/pubkey.txt | sudo apt-key add -` #### Add HORNET repository to APT `sh -c 'echo "deb http://ppa.hornet.zone stable main" >> /etc/apt/sources.list.d/hornet.list'` #### Install HORNET `apt update && apt install hornet` #### Enable HORNET service `systemctl enable hornet.service` #### Start HORNET `service hornet start` #### Verify HORNET state `journalctl -u hornet.service -f` ### HORNET Dashboard - SSH tunnel `ssh -N -L 8081:localhost:8081 root@remote_host_or_ip` `-N` Do not execute a remote command. This is useful for just forwarding ports. ``` -L [bind_address:]port:host:hostport -L [bind_address:]port:remote_socket -L local_socket:host:hostport -L local_socket:remote_socket ``` Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. This works by allocating a socket to listen to either a TCP port on the local side, optionally bound to the specified bind_address, or to a Unix socket. Whenever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or the Unix socket remote_socket, from the remote machine. Port forwardings can also be specified in the configuration file. Only the superuser can forward privileged ports. IPv6 addresses can be specified by enclosing the address in square brackets. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces. ### COMNET #### Edit HORNET defaults `nano /etc/default/hornet` #### Add COMNET configuration ``` # Add cli arguments to hornet, e.g.: # (For the full list of cli options run 'hornet -h') OPTIONS="--config config_comnet" ``` ## Security Do not feel _safe_ because you take these precautions. This is the minimal setup! ### Firewall **DISCLAIMER** If you are running other services or use a different port for SSH this instructions might disrupt those services. Be careful when you copy/paste commands from online website, make sure you understand what you do! Install uncomplicated firewall `apt install ufw` Allow any outgoing connection `ufw default allow outgoing` Deny any incoming connection `ufw default deny incoming` Allow ssh (secure shell) over the port `22` `ufw allow ssh` Allow the autopeering UDP port 14626 `ufw allow 14626/udp` Allow the gossip TCP port 15600 `ufw allow 15600/tcp` ### Create a new sudo user The sudo command (short for Super-user do) is a program designed to allow users to execute commands with the security privileges of another user, by default the root user. You can use this user account to execute administrative commands without a need to log in to your Debian server as a root user Login as root and type following commands `apt update && apt install sudo` Create new user `adduser beekeeper` Add to the `sudo` group `usermod -aG sudo beekeeper` ### fail2ban "Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc). Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services." [Fail2ban main page](https://www.fail2ban.org/wiki/index.php/Main_Page) Update apt and install fail2ban `sudo apt update && sudo apt install fail2ban` These commands start and enable fail2ban ``` sudo systemctl start fail2ban sudo systemctl enable fail2ban ``` ### Unattended Upgrades Install the necessary packages `sudo apt-get install unattended-upgrades apt-listchanges` The default configuration file for the unattended-upgrades package is at /etc/apt/apt.conf.d/50unattended-upgrades. The defaults will work fine, but you should read it and make changes as needed. `sudo nano /etc/apt/apt.conf.d/50unattended-upgrades` This section controls which packages are upgraded: ``` Unattended-Upgrade::Origins-Pattern { // ... }; ``` You should at least uncomment the following line: `Unattended-Upgrade::Mail "root";` Create the file /etc/apt/apt.conf.d/20auto-upgrades by running the following command as root: `sudo dpkg-reconfigure -plow unattended-upgrades` ### Changing the ssh-port and some hardening 1. Choosing a New Port Number In Linux, port numbers below 1024 are reserved for well-known services and can only be bound to by root. Although you can use a port within 1-1024 range for the SSH service to avoid issues with port allocation in the future it is recommended to choose a port above 1024. In this example will change the SSH port to ``3322``, you can choose any port you like. 2. Adjusting Firewall Before changing the SSH port, first you’ll need to adjust your firewall to allow traffic on the new SSH port. If you are using UFW, the default firewall configuration tool for Ubuntu run the following command to open the new SSH port: `sudo ufw allow 3322/tcp` 3. Configuring SSH Open the SSH configuration file /etc/ssh/sshd_config with your text editor: `sudo nano /etc/ssh/sshd_config` Search for the line starting with Port 22. In most cases, this line will start with a hash #. Remove the hash # and enter your new SSH port number that will be used instead of the standard SSH port 22. /etc/ssh/sshd_config `Port 3322` Be extra careful when modifying the SSH configuration file. The incorrect configuration may cause the SSH service to fail to start. Once you are done save the file and restart the SSH service to apply the changes: `sudo systemctl restart ssh` To verify that SSH daemon is listening on the new port 3322 type: ss -an | grep 3322 The output should look something like this: tcp LISTEN 0 128 0.0.0.0:3322 0.0.0.0:* tcp ESTAB 0 0 192.168.121.108:3322 192.168.121.1:57638 tcp LISTEN 0 128 [::]:3322 [::]:* Using the New SSH Port Now that you changed the SSH port when login to the remote machine you’ll need to specify the new port. Run the ssh followed by the -p <port_number> option to specify the port: ssh -p 3322 beekeeper@remote_host_or_ip ## Ledger Nano for your SSH session (GNU/Linux & MacOS) [Guide](https://thoughts.t37.net/a-step-by-step-guide-to-securing-your-ssh-keys-with-the-ledger-nano-s-92e58c64a005) On your local PC: `ledger-agent beekeeper@VPSADDRESS` Get the public key: ``` ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC+qDQh0BxMYLw5JR/FIUlBid5FZuR8uDZIIRJwkCE8D1Cw7peGLuwL9eA0G+IvbYLjVmdfLf/i6Y25mr+UKYoQ= <ssh://beekeeper@remote_host_or_ip|nist256p1> ``` On the VPS: ``` mkdir .ssh nano .ssh/authorized_keys ``` Paste the public key ``` ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC+qDQh0BxMYLw5JR/FIUlBid5FZuR8uDZIIRJwkCE8D1Cw7peGLuwL9eA0G+IvbYLjVmdfLf/i6Y25mr+UKYoQ= <ssh://beekeeper@remote_host_or_ip|nist256p1> ``` ## Learn more about VPS security! https://www.cyberciti.biz/tips/linux-security.html