Quick guide to setup and make a server "secure"
From: https://support.rackspace.com/how-to/configuring-basic-security/
Once you get your root access to the server, that's cool but not very safe.
Change password
Connect to the server
ssh root@123.45.67.890
Use passwd
to change the root password
Create new sudoer user on the server
adduser michel
Edit sudoers file
visudo
And add
michel ALL=(ALL) ALL
Create local keys
On your local machine, create a set of keys using ssh-keygen -t rsa
You'll get 2 files, id_rsa
and id_rsa.pub
. That last one is the public key.
Copy the public key to the server
scp ~/.ssh/id_rsa.pub root@123.45.67.890:/home/michel/
Setup the public for the new user
Login to the server with root
Create a .ssh
folder in your home folder (for instance: /home/michel/.ssh
).
Move the id_rsa.pub
to the .ssh
folder and rename it as authorized_keys
mv /home/michel/id_rsa.pub /home/michel/.ssh/authorized_keys
Set permissions properly.
chown -R michel:michel /home/michel/.ssh
chmod 700 /home/michel/.ssh
chmod 600 /home/michel/.ssh/authorized_keys
Change SSH configuration
Edit the ssh configuration file /etc/ssh/sshd_config
Port 22 <--- change to a port of your choosing
Protocol 2
PermitRootLogin no
PasswordAuthentication no
UseDNS no
AllowUsers michel
Change this as you want, this is just an example with for strict SSH access.
PermitRootLogin
can be changed to without-password
so you can only login using a private key.
Restart SSH service
sudo service sshd restart
or sudo service ssh restart
depending on your distrib.
Test loging in
ssh -i ~/.ssh/id_rsa michel@123.45.67.890
Remove SSH permissions for existing users
Edit the sshd config file
sudo nano /etc/ssh/sshd_config
Deny permissions for users
DenyUsers ubuntu
We'll be using the well known iptables
.
Copy and paste the script-init-iptables.sh
into a file.
Give that file exec permission chmod +x script-init-iptables.sh
and run it ./script-init-iptables.sh
Be aware that if something goes wrong, you can get locked out of your own server. Use this file with caution.
You can use iptables -L -nv
to look at the current rules.
The set of rules was put together based on:
- https://www.linode.com/docs/guides/control-network-traffic-with-iptables/
- https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands
apt-get install fail2ban
Based on this guide
Create and edit a custom config file for fail2ban sudo nano /etc/fail2ban/jail.local
Basically, you can copy rules from jail.conf
that you want to customize.
Configurations | Function |
---|---|
enabled | Jail status (true/false) - This enables or disables the jail |
port | Port specification |
filter | Service specific filter (Log filter) |
logpath | What log to use |
maxretry | Number of attempts to make before a ban |
findtime | Amount of time between failed login attempts |
bantime | Number of seconds an IP is banned for |
ignoreip | IP to be allowed |
Then enable fail2ban for some services
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1
Before that, check that your SSH is correctly logging failed attempts into the log file. Same for all your rules. If nothing is logged into files, fail2ban is pretty much useless.
Use sudo service fail2ban restart
to make the changes active. If it fails, it might be that your config file is not correct. Just comment some rules and try reload it, until you find the rule that's breaking it.
sudo fail2ban-client status
will show you the current status of fail2ban
Status
|- Number of jail: 2
`- Jail list: ssh, sshd
And to get details about a jail, use sudo fail2ban-client status ssh
Status for the jail: ssh
|- Filter
| |- Currently failed: 1
| |- Total failed: 2
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Setup emails
More to come...
Setup spam protection
spamassassin
More to come