Basic Security Setup for a Brand New Linode
When you start a clean Linode, it isn't secured in the following aspects:
- Allows root SSH login
- Uses password authentication on SSH
- Doesn't have a firewall
I collected some information to this article to address these three issues.
Target Operating System
I assume you're using Ubuntu 14.04 LTS.
Disabling Root SSH Login and Password Authentication
/etc/ssh/sshd_config and set the following settings:
PasswordAuthentication no PermitRootLogin no
Optional: Change SSH server port:
Restart SSH service:
sudo service ssh restart
Creating New User
Now you can't log in with root, so you need to create another user:
sudo adduser myuser
myuser a sudoer, enter
sudo visudo and add this line at the bottom:
myuser ALL=(ALL) NOPASSWD:ALL
The above line lets you sudo without a password. If you prefer having a password when sudoing, use this line instead:
myuser ALL=(ALL:ALL) ALL
Log in as
myuser and generate an SSH key:
To allow you to log in using
myuser with public key authentication, add your client public key into
authorized_keys has the right permissions:
chmod 600 ~/.ssh/authorized_keys
Then you can try logging in to the Linode from your local computer:
Setting up iptables
By default, Linode accepts all incoming connections. It is better to set up some iptables rules to block unwanted connections.
/etc/network/if-pre-up.d/iptables with the following content:
#!/bin/sh # Reset iptables rules iptables -F iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Web iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allow all traffic from localhost iptables -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT # SSH (replace 22 with the port you use) iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Drop all others iptables -A INPUT -j DROP
This is a typical setup of a web server. Adjust if needed.
Make this file executable:
sudo chmod +x /etc/network/if-pre-up.d/iptables
Reboot your Linode to take effect.