The observability culture shapes development and devops in powerful ways. We were able to identify a signal indicating that the server was handling traffic that was nefarious and took resources away from legitimate users. We made a hypothesis about what we wanted to try and do to positively impact that signal. Since we started with observability, we have the ability to evaluate the work we did and determine if we were successful or not and if more work is needed.
What if we could also guarantee that any ssh requests had to also go through Cloudflare? In other words, what if we didn’t accept ssh requests to the server IP but could force those through Cloudflare as well? This post describes options for just that through Cloudflare’s `cloudflared` service.
If you use Cloudflare, this post walks you through how to limit traffic to only their IP addresses, forcing access to your server to be subjected to Cloudflare security features.
At this point, you’ve set up your Ubuntu server and added some initial security. There are three more things I like to do when setting up an Ubuntu server. Add a firewall with IP Tables, install fail2ban, and set up email alerts for anytime a user invokes sudo.
In this step we’ll create a new user, setup ssh, and configure it to not allow root user logins. There’s also a brief discussion of some of the sshd_config settings we used.