Empfohlene Port-Range
Verwenden Sie für private Dienste den Bereich 49152 bis 65535 (Dynamic/Private Ports). Dies verhindert Konflikte mit registrierten IANA-Diensten und erschwert einfache Port-Scans.
Guide (Deutsch)
1. xRDP Port ändern
Standardmäßig nutzt xRDP Port 3389. Eine Änderung reduziert automatisierten Brute-Force-Traffic drastisch.
# Change default RDP port (e.g., to 53389)
sudo sed -i 's/port=3389/port=53389/g' /etc/xrdp/xrdp.ini
# Restart service to apply changes
sudo systemctl restart xrdp2. SSH Public Key Authentifizierung
Erstellen Sie den Schlüssel auf Ihrem lokalen Rechner (nicht auf dem Server).
# Local: Generate a high-security Ed25519 key pair
ssh-keygen -t ed25519 -C "admin_access"
# Local: Transfer public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p <current_ssh_port> user@server-ipKonfiguration auf dem Server zur Deaktivierung von Passwörtern:
# Server: Hardening SSH configuration
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
# Apply SSH changes
sudo systemctl restart ssh3. UFW: ICMP (Ping) deaktivieren & Ports öffnen
Standardmäßig erlaubt UFW Pings. Dies wird hier unterbunden.
# Open custom ports for SSH and xRDP
sudo ufw allow 22/tcp
sudo ufw allow 53389/tcp
# Disable ICMP (Ping)
# Edit /etc/ufw/before.rules:
# Change '-A ufw-before-icmp-4 -p icmp --icmp-type echo-request -j ACCEPT'
# to '-A ufw-before-icmp-4 -p icmp --icmp-type echo-request -j DROP'
sudo sed -i 's/icmp-type echo-request -j ACCEPT/icmp-type echo-request -j DROP/g' /etc/ufw/before.rules
# Enable Firewall
sudo ufw enableGuide (English)
1. Changing xRDP Port
Changing the default port 3389 is the first line of defense against automated scanners.
# Modify xRDP configuration to use a custom port (e.g., 53389)
sudo sed -i 's/port=3389/port=53389/g' /etc/xrdp/xrdp.ini
# Restart service to apply the new port setting
sudo systemctl restart xrdp2. SSH Public Key Authentication
Generate the keys on your local machine.
# Local: Create the key pair using Ed25519 algorithm
ssh-keygen -t ed25519 -C "admin_access"
# Local: Copy the public key to the remote server
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p <current_ssh_port> user@server-ipServer-side hardening:
# Server: Disable password-based logins for security
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
# Reload SSH service
sudo systemctl restart ssh3. UFW: Stealth Mode & ICMP Blocking
Disabling ICMP makes the server „invisible“ to standard ping requests.
# Allow traffic on specific hardened ports
sudo ufw allow 22/tcp
sudo ufw allow 53389/tcp
# Disable ICMP echo requests (Ping) in UFW configuration
sudo sed -i 's/icmp-type echo-request -j ACCEPT/icmp-type echo-request -j DROP/g' /etc/ufw/before.rules
# Activate firewall
sudo ufw enable