diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 56f5df1..3956ffb 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -1447,6 +1447,153 @@ sudo apt install -y \ python3-certbot-nginx ``` +#### 10.5 Secure SSH Configuration + +**Critical Security Step**: After setting up SSH key authentication, you must disable password authentication and root login to secure your Production server. + +**Step 1: Edit SSH Configuration File** + +```bash +# Open the SSH configuration file using nano +sudo nano /etc/ssh/sshd_config +``` + +**Step 2: Disallow Root Logins** + +Find the line that says: +``` +#PermitRootLogin prohibit-password +``` + +Change it to: +``` +PermitRootLogin no +``` + +**Step 3: Disable Password Authentication** + +Find the line that says: +``` +#PasswordAuthentication yes +``` + +Change it to: +``` +PasswordAuthentication no +``` + +**Step 4: Configure Protocol Family (Optional)** + +If you only need IPv4 connections, find or add: +``` +#AddressFamily any +``` + +Change it to: +``` +AddressFamily inet +``` + +**Step 5: Save and Exit** + +- Press `Ctrl + X` to exit +- Press `Y` to confirm saving +- Press `Enter` to confirm the filename + +**Step 6: Test SSH Configuration** + +```bash +# Test the SSH configuration for syntax errors +sudo sshd -t +``` + +**Step 7: Restart SSH Service** + +For Ubuntu 22.10+ (socket-based activation): +```bash +sudo systemctl enable --now ssh.service +``` + +For other distributions: +```bash +sudo systemctl restart sshd +``` + +**Step 8: Verify SSH Access** + +**IMPORTANT**: Test SSH access from a new terminal window before closing your current session: + +```bash +# Test Production Linode +ssh PROD_DEPLOY_USER@YOUR_PRODUCTION_IP 'echo "SSH configuration test successful"' +``` + +**What these changes do:** + +- **`PermitRootLogin no`**: Completely disables root SSH access +- **`PasswordAuthentication no`**: Disables password-based authentication +- **`AddressFamily inet`**: Listens only on IPv4 (optional, for additional security) + +**Security Benefits:** + +- **No root access**: Eliminates the most common attack vector +- **Key-only authentication**: Prevents brute force password attacks +- **Protocol restriction**: Limits SSH to IPv4 only (if configured) + +**Emergency Access:** + +If you lose SSH access, you can still access the server through: +- **Linode Console**: Use the Linode dashboard's console access +- **Emergency mode**: Boot into single-user mode if needed + +**Verification Commands:** + +```bash +# Check SSH configuration +sudo grep -E "(PermitRootLogin|PasswordAuthentication|AddressFamily)" /etc/ssh/sshd_config + +# Check SSH service status +sudo systemctl status ssh + +# Check SSH logs for any issues +sudo journalctl -u ssh -f + +# Test SSH access from a new session +ssh PROD_DEPLOY_USER@YOUR_PRODUCTION_IP 'whoami' +``` + +**Expected Output:** +- `PermitRootLogin no` +- `PasswordAuthentication no` +- `AddressFamily inet` (if configured) +- SSH service should be "active (running)" +- Test commands should return the deployment user name + +**Important Security Notes:** + +1. **Test before closing**: Always test SSH access from a new session before closing your current SSH connection +2. **Keep backup**: You can restore the original configuration if needed +3. **Monitor logs**: Check `/var/log/auth.log` for SSH activity and potential attacks +4. **Regular updates**: Keep SSH and system packages updated for security patches + +**Alternative: Manual Configuration with Backup** + +If you prefer to manually edit the file with a backup: + +```bash +# Create backup +sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup + +# Edit the file +sudo nano /etc/ssh/sshd_config + +# Test configuration +sudo sshd -t + +# Restart service +sudo systemctl restart ssh +``` + ### Step 11: Create Users #### 11.1 Create the PROD_SERVICE_USER User @@ -1757,154 +1904,7 @@ The `docker-compose.prod.yml` file is specifically designed for production deplo ### Step 15: Configure Security -#### 15.1 Secure SSH Configuration - -**Critical Security Step**: After setting up SSH key authentication, you must disable password authentication and root login to secure your Production server. - -**Step 1: Edit SSH Configuration File** - -```bash -# Open the SSH configuration file using nano -sudo nano /etc/ssh/sshd_config -``` - -**Step 2: Disallow Root Logins** - -Find the line that says: -``` -#PermitRootLogin prohibit-password -``` - -Change it to: -``` -PermitRootLogin no -``` - -**Step 3: Disable Password Authentication** - -Find the line that says: -``` -#PasswordAuthentication yes -``` - -Change it to: -``` -PasswordAuthentication no -``` - -**Step 4: Configure Protocol Family (Optional)** - -If you only need IPv4 connections, find or add: -``` -#AddressFamily any -``` - -Change it to: -``` -AddressFamily inet -``` - -**Step 5: Save and Exit** - -- Press `Ctrl + X` to exit -- Press `Y` to confirm saving -- Press `Enter` to confirm the filename - -**Step 6: Test SSH Configuration** - -```bash -# Test the SSH configuration for syntax errors -sudo sshd -t -``` - -**Step 7: Restart SSH Service** - -For Ubuntu 22.10+ (socket-based activation): -```bash -sudo systemctl enable --now ssh.service -``` - -For other distributions: -```bash -sudo systemctl restart sshd -``` - -**Step 8: Verify SSH Access** - -**IMPORTANT**: Test SSH access from a new terminal window before closing your current session: - -```bash -# Test Production Linode -ssh PROD_DEPLOY_USER@YOUR_PRODUCTION_IP 'echo "SSH configuration test successful"' -``` - -**What these changes do:** - -- **`PermitRootLogin no`**: Completely disables root SSH access -- **`PasswordAuthentication no`**: Disables password-based authentication -- **`AddressFamily inet`**: Listens only on IPv4 (optional, for additional security) - -**Security Benefits:** - -- **No root access**: Eliminates the most common attack vector -- **Key-only authentication**: Prevents brute force password attacks -- **Protocol restriction**: Limits SSH to IPv4 only (if configured) - -**Emergency Access:** - -If you lose SSH access, you can still access the server through: -- **Linode Console**: Use the Linode dashboard's console access -- **Emergency mode**: Boot into single-user mode if needed - -**Verification Commands:** - -```bash -# Check SSH configuration -sudo grep -E "(PermitRootLogin|PasswordAuthentication|AddressFamily)" /etc/ssh/sshd_config - -# Check SSH service status -sudo systemctl status ssh - -# Check SSH logs for any issues -sudo journalctl -u ssh -f - -# Test SSH access from a new session -ssh PROD_DEPLOY_USER@YOUR_PRODUCTION_IP 'whoami' -``` - -**Expected Output:** -- `PermitRootLogin no` -- `PasswordAuthentication no` -- `AddressFamily inet` (if configured) -- SSH service should be "active (running)" -- Test commands should return the deployment user name - -**Important Security Notes:** - -1. **Test before closing**: Always test SSH access from a new session before closing your current SSH connection -2. **Keep backup**: You can restore the original configuration if needed -3. **Monitor logs**: Check `/var/log/auth.log` for SSH activity and potential attacks -4. **Regular updates**: Keep SSH and system packages updated for security patches - -**Alternative: Manual Configuration with Backup** - -If you prefer to manually edit the file with a backup: - -```bash -# Create backup -sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup - -# Edit the file -sudo nano /etc/ssh/sshd_config - -# Test configuration -sudo sshd -t - -# Restart service -sudo systemctl restart ssh -``` - -#### 15.2 Configure Firewall +#### 15.1 Configure Firewall ```bash sudo ufw --force enable