AndyJarrett

Another setting up a Server guide

This is a first part of multiple posts all about setting your (Ubuntu) server (like the web needs one). I'm slowly moving over to Docker but recently I dumped my scripts in to github. These are my own guides to setting up a site which I have been updating over time.

Fork me on Github, this is from the ubuntu/ folder

This post covers setting up unattended stable updates, removing root SSH access, setting up a less privileged user to do your bidding, and a firewall:

Keep your server up-to-date and patched

Update your package list and upgrade your packages and dependencies

# Downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies.
$ sudo apt-get update
# Intelligently handle the dependencies, so it might remove obsolete packages or add new ones
$ sudo apt-get dist-upgrade

You could also just run $ sudo apt-get update && sudo apt-get dist-upgrade to keep life simple.

Keeping Your Server Secure With Unattended Upgrades

$ sudo apt-get install unattended-upgrades update-notifier-common
# Once the packages are installed, you have to enable upgrades explicitly:
$ sudo dpkg-reconfigure unattended-upgrades

Select 'YES', this will set two apt configuration properties in //etc/apt/apt.conf.d/20auto-upgrades. You can have a look in the configuration file at /etc/apt/apt.conf.d/50unattended-upgrades to see what you can do. This also outputs logs to /var/log/unattended-upgrades/ - check in on this.

Now let Create a user

Creates a user called 'andyjarrett' and sets the password

$ sudo adduser andyjarrett

Check you can log in with the user

$ su andyjarrett
$ cd ~ #move to the home directory of andyjarrett

Let get SSH sorted

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ nano ~/.ssh/authorized_keys # We need to add our public key authorized_keys files
If you're on Mac you can run `$ cat ~/.ssh/id_rsa.pub | pbcopy` to copy your local public key to the clipboard to paste in **~/.ssh/authorized_keys** on the server.
$ chmod 600 ~/.ssh/* #Next let's grant ownership of the file to the account, so that they can later change their own settings.
$ exit #This should bring you out of su andyjarrett

We can add the new user to the "sudo" group. By default, on Ubuntu 14.04, users who belong to the "sudo" group are allowed to use the sudo command.

As root, run this command to add your new user to the sudo group (substitute the highlighted word with your new user):

n.b. If during the next section you see an error message like unable to resolve host ip-XXX-XXX-XXX-XXX you can fix this by adding the following to /etc/hosts

127.0.0.1 ip-XXX-XXX-XXX-XXX #replace XXX with the IP address returned  

Back to adding the user

sudo gpasswd -a andyjarrett sudo  

OR you can also just give the user SUDO access

$ sudo visudo #configure who has access to the sudo 

Look for :
root ALL=(ALL:ALL) ALL and add

andyjarrett     ALL=(ALL:ALL) ALL  

At this point our ROOT user is no longer needed, so lets update our sshd_config

$ sudo nano /etc/ssh/sshd_config

and set

PasswordAuthentication no  
PermitRootLogin no  
Port 303030  
AllowUsers andyjarrett  

You'll notice we also changed the SSH port. Yes, this is "security through obscurity" but you can see this as just one part of a multi-layer protection of your server. We also set andyjarrett as the only allowed user.

Staying in sshd_config, the following is a personal preference and comes from cyberciti.biz to help maintain a connection

ClientAliveInterval 240  
ClientAliveCountMax 5  

Once you're done run the following to check for erros

sudo sshd -T  

Then run the following to reload your changes

sudo service ssh reload #reload the SSH changes  

WARNING: BEFORE YOU CLOSE YOUR SESSION OPEN UP A NEW TERMINAL WINDOW

N.B. the '-p' flag which changes the port from the default SSH one to 303030 which is what we set in /etc/ssh/sshd_config earlier on.

$ ssh andyjarrrett@123.123.123 -p303030 #You need to check you can SSH in. 

From this point on I'll be logged in as the new user

If you're on Amazon then you should have Security Groups already protecting your box. They are great as a first line of defense plus they add no load on your server. However there might be a time when you want to quickly manage connection to your box i.e. an attack and IPTables gives you this power. The next segment will touch on securing your server with Firewall rules (IPTables)

At this point your server is running, you're logged in as your new user and you want to set up security.
IPTables are another layer of protection along withn you security groups. However, security groups are not state-sensitive, you cannot have them respond automatically to an attack for instance. IPTables are well suited to more dynamic rules - either adapting to certain scenarios, or providing finer grained conditional control.

The plan is to implement both, IPTables will allo us to dynamically protect against currently open ports from potential attacks.

Set up Firewall

Back up your current set of rule

sudo sh -c '/sbin/iptables-save > /etc/iptables.save'  

Later on, if you have issues you can run the following to get back the rule set.

sudo /sbin/iptables -F  
sudo sh -c '/sbin/iptables-restore < /etc/iptables.save'  

Create a new rules file

nano ~/iptables.up.rules  

Copy the below in to the file and save it.

*filter


#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT


# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 10000 -j ACCEPT

#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 303030 -j ACCEPT


# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT  

Now tell Ubuntu to use these rules

sudo /sbin/iptables-restore < ~/iptables.up.rules  

check your rules are in place

sudo iptables -L  

This works for now, but as soon as your reboot you'll loose the changes. To get around this install the following

sudo apt-get install iptables-persistent  

The rules defined (what we set above) when the package is installed are saved and used on each subsequent boots. The config file if you do need to change them (once iptables-persistent is installed) is /etc/iptables/rules.v4 or /etc/iptables/rules.v6

You now have a basic server and user ready for installing what you want.