This is a first part of multiple posts all about setting your (Ubuntu) server (like the web needs one). I'm slowly moving over to Docker but recently I dumped my scripts in to github. These are my own guides to setting up a site which I have been updating over time.
This post covers setting up unattended stable updates, removing root SSH access, setting up a less privileged user to do your bidding, and a firewall:
Keep your server up-to-date and patched
Update your package list and upgrade your packages and dependencies
# Downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies. $ sudo apt-get update # Intelligently handle the dependencies, so it might remove obsolete packages or add new ones $ sudo apt-get dist-upgrade
You could also just run
$ sudo apt-get update && sudo apt-get dist-upgrade to keep life simple.
Keeping Your Server Secure With Unattended Upgrades
$ sudo apt-get install unattended-upgrades update-notifier-common # Once the packages are installed, you have to enable upgrades explicitly: $ sudo dpkg-reconfigure unattended-upgrades
Select 'YES', this will set two apt configuration properties in //etc/apt/apt.conf.d/20auto-upgrades. You can have a look in the configuration file at /etc/apt/apt.conf.d/50unattended-upgrades to see what you can do. This also outputs logs to /var/log/unattended-upgrades/ - check in on this.
Now let Create a user
Creates a user called 'andyjarrett' and sets the password
$ sudo adduser andyjarrett
Check you can log in with the user
$ su andyjarrett $ cd ~ #move to the home directory of andyjarrett
Let get SSH sorted
$ mkdir ~/.ssh $ chmod 700 ~/.ssh $ touch ~/.ssh/authorized_keys $ nano ~/.ssh/authorized_keys # We need to add our public key authorized_keys files
If you're on Mac you can run `$ cat ~/.ssh/id_rsa.pub | pbcopy` to copy your local public key to the clipboard to paste in **~/.ssh/authorized_keys** on the server.
$ chmod 600 ~/.ssh/* #Next let's grant ownership of the file to the account, so that they can later change their own settings. $ exit #This should bring you out of su andyjarrett
We can add the new user to the "sudo" group. By default, on Ubuntu 14.04, users who belong to the "sudo" group are allowed to use the sudo command.
As root, run this command to add your new user to the sudo group (substitute the highlighted word with your new user):
n.b. If during the next section you see an error message like unable to resolve host ip-XXX-XXX-XXX-XXX you can fix this by adding the following to /etc/hosts
127.0.0.1 ip-XXX-XXX-XXX-XXX #replace XXX with the IP address returned
Back to adding the user
sudo gpasswd -a andyjarrett sudo
OR you can also just give the user SUDO access
$ sudo visudo #configure who has access to the sudo
Look for :
root ALL=(ALL:ALL) ALL and add
andyjarrett ALL=(ALL:ALL) ALL
At this point our ROOT user is no longer needed, so lets update our sshd_config
$ sudo nano /etc/ssh/sshd_config
PasswordAuthentication no PermitRootLogin no Port 303030 AllowUsers andyjarrett
You'll notice we also changed the SSH port. Yes, this is "security through obscurity" but you can see this as just one part of a multi-layer protection of your server. We also set andyjarrett as the only allowed user.
Staying in sshd_config, the following is a personal preference and comes from cyberciti.biz to help maintain a connection
ClientAliveInterval 240 ClientAliveCountMax 5
Once you're done run the following to check for erros
sudo sshd -T
Then run the following to reload your changes
sudo service ssh reload #reload the SSH changes
WARNING: BEFORE YOU CLOSE YOUR SESSION OPEN UP A NEW TERMINAL WINDOW
N.B. the '-p' flag which changes the port from the default SSH one to 303030 which is what we set in /etc/ssh/sshd_config earlier on.
$ ssh email@example.com -p303030 #You need to check you can SSH in.
From this point on I'll be logged in as the new user
If you're on Amazon then you should have Security Groups already protecting your box. They are great as a first line of defense plus they add no load on your server. However there might be a time when you want to quickly manage connection to your box i.e. an attack and IPTables gives you this power. The next segment will touch on securing your server with Firewall rules (IPTables)
At this point your server is running, you're logged in as your new user and you want to set up security.
IPTables are another layer of protection along withn you security groups. However, security groups are not state-sensitive, you cannot have them respond automatically to an attack for instance. IPTables are well suited to more dynamic rules - either adapting to certain scenarios, or providing finer grained conditional control.
The plan is to implement both, IPTables will allo us to dynamically protect against currently open ports from potential attacks.
Set up Firewall
Back up your current set of rule
sudo sh -c '/sbin/iptables-save > /etc/iptables.save'
Later on, if you have issues you can run the following to get back the rule set.
sudo /sbin/iptables -F sudo sh -c '/sbin/iptables-restore < /etc/iptables.save'
Create a new rules file
Copy the below in to the file and save it.
*filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 10000 -j ACCEPT # Allows SSH connections # # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE # -A INPUT -p tcp -m state --state NEW --dport 303030 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Now tell Ubuntu to use these rules
sudo /sbin/iptables-restore < ~/iptables.up.rules
check your rules are in place
sudo iptables -L
This works for now, but as soon as your reboot you'll loose the changes. To get around this install the following
sudo apt-get install iptables-persistent
The rules defined (what we set above) when the package is installed are saved and used on each subsequent boots. The config file if you do need to change them (once iptables-persistent is installed) is /etc/iptables/rules.v4 or /etc/iptables/rules.v6
You now have a basic server and user ready for installing what you want.