I recently got a new VPS for hosting my mail and some other things. The server was installed with a minimal Ubuntu 8.10 distribution, which basically meant that nothing except init, syslogd, and sshd was running after boot. Before doing anything else with it, here’s what I did to lock it down a bit security-wise:
Step 1 — Add user account
It’s good practice to not do stuff logged in as the root user, so the first step is to add a user account from which we can sudo. Log in as root only this time and add the user (e.g. johndoe) and sudo access as follows:
useradd -m johndoe -s /bin/bash passwd johndoe visudo
Running visudo will edit the /etc/sudoers file with the default editor of your environment. Add this line to allow johndoe full sudo permissions:
johndoe ALL=(ALL) ALL
Step 2 — Install iptables
Still as root, we’ll set up the iptables firewall to make sure only specifically allowed inbound network traffic is allowed to the server:
apt-get install iptables
Configuring iptables can seem pretty complex at first, but here’s a decent tutorial. Firewall rules can be added directly from the command line:
iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type any -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
Essentially, the above rules allow all outbound traffic, block all inbound traffic by default, and specifically allow ssh, smtp, http, and imaps traffic, which is what I need to begin with. To make sure the rules are persistent after e.g. a server reboot we add them as a script hook to the network interface:
iptables-save > /etc/network/iptables printf '#!/bin/sh\niptables-restore < /etc/network/iptables\n' > /etc/network/if-pre-up.d/iptables chmod 754 /etc/network/if-pre-up.d/iptables
Step 3 — Update sshd config
Now that iptables and a user account with sudo rights are set up, it’s time to leave the root shell, log in as the new user, and then edit the sshd config to lock down future ssh access a bit:
sudo vi /etc/ssh/sshd_config
Add/change the following settings:
PermitRootLogin no AllowUsers johndoe
This disallows root from logging in through ssh (console login is still allowed though) and restricts ssh access to only be allowed for the johndoe user. Make the changes active by reloading the config:
sudo /etc/init.d/ssh reload
Step 4 — Update sources.list
This being a very minimal install, the stock /etc/apt/sources.list file only included the main repository component. To install the denyhosts package (see next step) the universe component is needed, so we need to add it to sources.list:
deb http://archive.ubuntu.com/ubuntu intrepid main restricted deb-src http://archive.ubuntu.com/ubuntu intrepid main restricted deb http://archive.ubuntu.com/ubuntu/ intrepid-updates main restricted deb-src http://archive.ubuntu.com/ubuntu/ intrepid-updates main restricted deb http://archive.ubuntu.com/ubuntu/ intrepid universe deb-src http://archive.ubuntu.com/ubuntu/ intrepid universe deb http://archive.ubuntu.com/ubuntu/ intrepid-updates universe deb-src http://archive.ubuntu.com/ubuntu/ intrepid-updates universe
Once done, update the package lists from the newly added sources and upgrade all currently installed packages to the latest versions:
sudo apt-get update sudo apt-get upgrade
Step 5 — Install DenyHosts
Even with iptables and the sshd configuration changes we made, we still allow some users to log in through ssh, which makes us vulnerable to remote brute-force attempts to gain access through these accounts. One good way to do away with this threat is to only allow public-key authentication, or restrict access to only a list of specified IPs through iptables or /etc/hosts.deny, but if this is not practical for whatever reason the DenyHosts package comes to the rescue.
DenyHosts monitors the sshd authentication log to detect evil login attempts and adds suspicious IPs automatically to the /etc/hosts.deny file. It’s available in Ubuntu from the universe repository component (see previous step), and is easily installed like this:
sudo apt-get install denyhosts
This will automatically start a python daemon in the background, which also is persistent on reboot through a symlink in /etc/rc3.d/. The default settings are pretty decent, but should you want to review or change them you can do so in /etc/denyhosts.conf.
Pingback: Ubuntu Iptables Firewall - Linux * Screw
Didn’t know about the /etc/network/iptables and /etc/network/if-pre-up.d/iptables – any more info about those files, what calls them, et cetera?