Server hardening and security best practices.
Run the hardening wizard:
shipnode hardenThis interactive wizard helps you:
- Disable password authentication - Use SSH keys only
- Disable root login - Create a sudo user instead
- Change SSH port - Move from default port 22
- Allowlist users - Only specific users can SSH in
- Enable UFW firewall
- Allow SSH (your port)
- Allow HTTP (80)
- Allow HTTPS (443)
- Deny all other incoming
Install fail2ban to block brute force attackers:
- Block after 5 failed attempts
- Ban for 10 minutes
- Monitor SSH logs
Check your server's security:
shipnode doctor --securityThis checks:
- SSH configuration
- Firewall status
- Fail2ban installation
- File permissions
-
Generate a key (on your local machine):
ssh-keygen -t ed25519 -C "your@email.com" -
Add to server:
ssh-copy-id user@your-server
-
Test connection:
ssh user@your-server
-
Disable password auth (after confirming key works):
# In /etc/ssh/sshd_config PasswordAuthentication no systemctl restart sshd
# Allow SSH (port 22, or your custom port)
ufw allow 22
# Allow HTTP/HTTPS
ufw allow 80
ufw allow 443
# Enable firewall
ufw enableufw allow 2222/tcp # your custom SSH port
ufw delete allow 22 # remove defaultShipNode's fail2ban configuration:
[DEFAULT]
bantime = 600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.logManage deployment users with users.yml:
users:
- username: alice
email: alice@example.com
authorized_key: "ssh-ed25519 AAAAC3... alice@laptop"
sudo: false
- username: bob
email: bob@example.com
authorized_key: "ssh-ed25519 AAAAC3... bob@laptop"
sudo: trueSync users:
shipnode user sync- SSH key authentication enabled
- Root login disabled
- SSH port changed (optional)
- UFW firewall enabled
- fail2ban installed
- Regular security updates:
apt update && apt upgrade - Backups configured
- .env file not in version control
- Secrets not committed to git