Skip to content

Instantly share code, notes, and snippets.

@LeMeteore
Forked from eliangcs/linode-security.md
Created September 6, 2016 15:32
Show Gist options
  • Save LeMeteore/d26d2eabfd260bcd85196666a8d977eb to your computer and use it in GitHub Desktop.
Save LeMeteore/d26d2eabfd260bcd85196666a8d977eb to your computer and use it in GitHub Desktop.
Basic security setup for a brand new Linode

Basic Security Setup for a Brand New Linode

Why

When you start a clean Linode, it isn't secured in the following aspects:

  • Allows root SSH login
  • Uses password authentication on SSH
  • Doesn't have a firewall

I collected some information to this article to address these three issues.

Target Operating System

I assume you're using Ubuntu 14.04 LTS.

Disabling Root SSH Login and Password Authentication

Edit /etc/ssh/sshd_config and set the following settings:

PasswordAuthentication no
PermitRootLogin no

Restart SSH service:

sudo service ssh restart

Creating New User

Now you can't log in with root, so you need to create another user:

sudo adduser myuser

To make myuser a sudoer, enter sudo visudo and add this line at the bottom:

myuser ALL=(ALL) NOPASSWD:ALL

The above line lets you sudo without a password. If you prefer having a password when sudoing, use this line instead:

myuser ALL=(ALL:ALL) ALL

Log in as myuser and generate an SSH key:

ssh-keygen

To allow you to log in using myuser with public key authentication, add your client public key into ~/.ssh/authorized_keys.

Make sure authorized_keys has the right permissions:

chmod 600 ~/.ssh/authorized_keys

Then you can try logging in to the Linode from your local computer:

ssh myuser@your-linode-ip-or-domain-name

Setting up iptables

By default, Linode accepts all incoming connections. It is better to set up some iptables rules to block unwanted connections.

Create /etc/network/if-pre-up.d/iptables with the following content:

#!/bin/sh

# Reset iptables rules
iptables -F

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Web
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow all traffic from localhost
iptables -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Drop all others
iptables -A INPUT -j DROP

This is a typical setup of a web server. Adjust if needed.

Make this file executable:

sudo chmod +x /etc/network/if-pre-up.d/iptables

Reboot your Linode to take effect.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment