Project Scenario: Hardening Remote Access for ABC TechGroup

Role: Junior DevOps Engineer Company: ABC TechGroup (A fictitious Fintech Startup)

The Background: ABC TechGroup has recently migrated its financial application infrastructure to the AWS Cloud. The development team needs to access these Linux servers remotely to deploy updates and fix bugs. However, a recent external security audit flagged a "Critical" vulnerability: the servers are currently using default configurations, making them easy targets for hackers.

The Problem: The Chief Information Security Officer (CISO) has detected unauthorized login attempts from foreign IP addresses. The logs show that automated "botnets" are constantly scanning Port 22 (the default SSH port) and trying to brute-force the root password.

• Risk: If a hacker guesses a password, they gain full control over the financial data, leading to a potential data breach and regulatory fines.
• Current State: Servers are using default hostnames (e.g., ip-172-31-0-1), default ports, and standard password authentication.

Your Mission: As the lead engineer on this task, you must implement a "Security through Obscurity" and "Defense in Depth" strategy to lock down remote access. You need to ensure that management traffic is encrypted, hidden from standard scanners, and accessible only to authorized personnel for confidentiality.

Key Objectives:

1. Identity Management: Rename servers to standard company naming conventions (Server-01) to prevent administrative errors.
2. Obfuscation: Change the default SSH listening port from 22 to a custom non-standard port (1922) to evade 99% of automated bot scanners.
3. Access Control: Configure AWS Security Groups (Cloud Firewalls) and internal UFW (Uncomplicated Firewall) to strictly explicitly allow traffic only on the new secure port.
4. Verification: Prove the security posture by demonstrating that connection attempts on the old port fail while the new secure channel functions correctly.

Business Value Delivered: By executing this hardening process, you are reducing the server's "attack surface" by over 90%, ensuring that ABC TechGroup's proprietary code and customer financial data remain secure from opportunistic cyberattacks.

Hardened SSH Ingress Data Flow (Port 1922)

Summary of steps

1) Change Hostname