Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Simple setup guide for any webserver running Linux

Quick guide to setup and make a server "secure"

Setup auth

From: https://support.rackspace.com/how-to/configuring-basic-security/

Once you get your root access to the server, that's cool but not very safe.

Change password

Connect to the server

ssh root@123.45.67.890

Use passwd to change the root password

Create new sudoer user on the server

adduser louis

Edit sudoers file

visudo

And add

louis ALL=(ALL) ALL

Create local keys

On your local machine, create a set of keys using ssh-keygen -t rsa

You'll get 2 files, id_rsa and id_rsa.pub. That last one is the public key.

Copy the public key to the server

scp ~/.ssh/id_rsa.pub root@123.45.67.890:/home/louis/

Setup the public for the new user

Login to the server with root

Create a .ssh folder in your home folder (for instance: /home/louis/.ssh).

Move the id_rsa.pub to the .ssh folder and rename it as authorized_keys

mv /home/louis/id_rsa.pub /home/louis/.ssh/authorized_keys

Set permissions properly.

chown -R louis:louis /home/louis/.ssh chmod 700 /home/louis/.ssh chmod 600 /home/louis/.ssh/authorized_keys

Change SSH configuration

Edit the ssh configuration file /etc/ssh/sshd_config

Port 22                           <--- change to a port of your choosing
Protocol 2
PermitRootLogin no
PasswordAuthentication no
UseDNS no
AllowUsers louis

Change this as you want, this is just an example with for strict SSH access.

PermitRootLogin can be changed to without-password so you can only login using a private key.

Restart SSH service

sudo service sshd restart or sudo service ssh restart depending on your distrib.

Test loging in

ssh -i ~/.ssh/id_rsa louis@123.45.67.890

Setup your firewall - iptables

We'll be using the well known iptables.

Copy and paste the script-init-iptables.sh into a file. Give that file exec permission chmod +x script-init-iptables.sh and run it ./script-init-iptables.sh

Be aware that if something goes wrong, you can get locked out of your own server. Use this file with caution.

You can use iptables -L to look at the current rules.

Block bots - Setup fail2ban

apt-get install fail2ban

Create and edit a custom config file for fail2ban sudo nano /etc/fail2ban/jail.local

Basically, you can copy rules from jail.conf that you want to customize.

Then enable fail2ban for some services

[apache]
enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[postfix]
enabled  = true 
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
[ssh]

enabled = true
port    = ssh,sftp
filter  = sshd
logpath  = /var/log/auth.log

Before that, check that your SSH is correctly logging failed attempts into the log file. Same for all your rules. If nothing is logged into files, fail2ban is pretty much useless.

Use sudo service fail2ban restart to make the changes active. If it fails, it might be that your config file is not correct. Just comment some rules and try reload it, until you find the rule that's breaking it.

sudo fail2ban-client status will show you the current status of fail2ban

Status
|- Number of jail:	2
`- Jail list:	ssh, sshd

And to get details about a jail, use sudo fail2ban-client status ssh

Status for the jail: ssh
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	2
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

Setup emails

More to come...

Setup spam protection

spamassassin

More to come

#!/bin/sh
# Reset rules
sudo iptables -t filter -F
sudo iptables -t filter -X
# Block all traffic
sudo iptables -t filter -P INPUT DROP
sudo iptables -t filter -P FORWARD DROP
sudo iptables -t filter -P OUTPUT DROP
# Authorize already established connexions and localhost connexion
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t filter -A INPUT -i lo -j ACCEPT
sudo iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
sudo iptables -t filter -A INPUT -p icmp -j ACCEPT
sudo iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# SSH
sudo iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# DNS
sudo iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
sudo iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
#HTTPS
sudo iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# FTP
sudo iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
# Git
sudo iptables -t filter -A OUTPUT -p tcp --dport 9418 -j ACCEPT
sudo iptables -t filter -A INPUT -p tcp --dport 9418 -j ACCEPT
# Mail SMTP
sudo iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
# Mail POP3
sudo iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP
sudo iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# NTP (horloge du serveur)
sudo iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.