Tag Archives: sshd

Basic sshd and iptables security in Ubuntu

I recently got a new VPS for hosting my mail and some other things. The server was installed with a minimal Ubuntu 8.10 distribution, which basically meant that nothing except init, syslogd, and sshd was running after boot. Before doing anything else with it, here’s what I did to lock it down a bit security-wise:

Step 1 — Add user account
It’s good practice to not do stuff logged in as the root user, so the first step is to add a user account from which we can sudo. Log in as root only this time and add the user (e.g. johndoe) and sudo access as follows:

useradd -m johndoe -s /bin/bash
passwd johndoe

Running visudo will edit the /etc/sudoers file with the default editor of your environment. Add this line to allow johndoe full sudo permissions:

johndoe ALL=(ALL) ALL

Step 2 — Install iptables
Still as root, we’ll set up the iptables firewall to make sure only specifically allowed inbound network traffic is allowed to the server:

apt-get install iptables

Configuring iptables can seem pretty complex at first, but here’s a decent tutorial. Firewall rules can be added directly from the command line:

iptables -F
iptables -P INPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

Essentially, the above rules allow all outbound traffic, block all inbound traffic by default, and specifically allow ssh, smtp, http, and imaps traffic, which is what I need to begin with. To make sure the rules are persistent after e.g. a server reboot we add them as a script hook to the network interface:

iptables-save > /etc/network/iptables
printf '#!/bin/sh\niptables-restore < /etc/network/iptables\n' > /etc/network/if-pre-up.d/iptables
chmod 754 /etc/network/if-pre-up.d/iptables

Step 3 — Update sshd config
Now that iptables and a user account with sudo rights are set up, it’s time to leave the root shell, log in as the new user, and then edit the sshd config to lock down future ssh access a bit:

sudo vi /etc/ssh/sshd_config

Add/change the following settings:

PermitRootLogin no
AllowUsers johndoe

This disallows root from logging in through ssh (console login is still allowed though) and restricts ssh access to only be allowed for the johndoe user. Make the changes active by reloading the config:

sudo /etc/init.d/ssh reload

Step 4 — Update sources.list
This being a very minimal install, the stock /etc/apt/sources.list file only included the main repository component. To install the denyhosts package (see next step) the universe component is needed, so we need to add it to sources.list:

deb http://archive.ubuntu.com/ubuntu intrepid main restricted
deb-src http://archive.ubuntu.com/ubuntu intrepid main restricted
deb http://archive.ubuntu.com/ubuntu/ intrepid-updates main restricted
deb-src http://archive.ubuntu.com/ubuntu/ intrepid-updates main restricted
deb http://archive.ubuntu.com/ubuntu/ intrepid universe
deb-src http://archive.ubuntu.com/ubuntu/ intrepid universe
deb http://archive.ubuntu.com/ubuntu/ intrepid-updates universe
deb-src http://archive.ubuntu.com/ubuntu/ intrepid-updates universe

Once done, update the package lists from the newly added sources and upgrade all currently installed packages to the latest versions:

sudo apt-get update
sudo apt-get upgrade

Step 5 — Install DenyHosts
Even with iptables and the sshd configuration changes we made, we still allow some users to log in through ssh, which makes us vulnerable to remote brute-force attempts to gain access through these accounts. One good way to do away with this threat is to only allow public-key authentication, or restrict access to only a list of specified IPs through iptables or /etc/hosts.deny, but if this is not practical for whatever reason the DenyHosts package comes to the rescue.

DenyHosts monitors the sshd authentication log to detect evil login attempts and adds suspicious IPs automatically to the /etc/hosts.deny file. It’s available in Ubuntu from the universe repository component (see previous step), and is easily installed like this:

sudo apt-get install denyhosts

This will automatically start a python daemon in the background, which also is persistent on reboot through a symlink in /etc/rc3.d/. The default settings are pretty decent, but should you want to review or change them you can do so in /etc/denyhosts.conf.