Securing a Ubuntu 14.04 Server
Linux, Security, Sysadmin, Ubuntu
These guidelines assume a fresh install of Ubuntu 14.04.
Secure SSH Access
The most important step is probably to change the default port for SSH.
Change the default SSH port.
Many brute force hacking attempts target the username “root” on port 22.
Simply changing the port can reduce the number of malicious login attempts drastically.
Change the SSH port number to something between 1025 and 65536. The Server’s SSH connections will then look to the new port number.
In Ubuntu the SSH port is set in:
/etc/ssh/sshd_config
.
Before going any further, backup the config file!
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
Open the config file and amend the port number (first uncommented line in the file):
sudo nano /etc/ssh/sshd_config
Restart SSH to enable the changes:
service ssh restart
or
/etc/init.d/sshd restart
TEST THE NEW CONFIGURATION
Keep your terminal open, and try to log in with a new terminal. In this way, if you can’t login you still have server access.
Remember to specify the correct port number (see below).
SSH Login - Non Standard Port
Assuming the SSH port is 1234.
SSH login:
ssh -p 1234 user@12.34.567.89
Using scp:
scp -P 1234 username@12.34.567.89:/path/file.txt
Note: uppercase P is necessary - lowercase p is an scp switch.
Using rsync:
rsync --progress -a -v -rz --checksum --delete -e "ssh -p 1234" _site/ user@12.34.567.89:/var/www/path/directory
Root Login
Once the SSH port has been reset, prevent root login with password. Root will still be able to gain access by means of public SSH keys - which can be set up on your local machine.
Amend the following block in /etc/ssh/sshd_config
Alternatively, prevent root access altogether:
PermitRootLogin no
Make sure you’ve created a new user with sudo privileges before doing this.
After making changes to SSH configuration, restart SSH:
/etc/init.d/sshd restart
Set up a Firewall
Enter sudo iptables -L
, will return an empty ruleset:
Make a file for firewall rules:
sudo nano /etc/iptables.firewall.rules
…and add some rules:
Activate rules:
sudo iptables-restore < /etc/iptables.firewall.rules
Amend /etc/iptables.firewall.rules
as necessary.
Check you Still Have SSH Access
The firewall rules set the port number for SSH access - this should correspond to the value set in /etc/ssh/sshd_config
.
Make sure!
While still logged in on one terminal, open a new terminal and check SSH connection is still functional.
Apply Firewall Rules When System Reboots
sudo nano /etc/network/if-pre-up.d/firewall
Add:
Save, make executable:
sudo chmod +x /etc/network/if-pre-up.d/firewall
Fail2Ban
sudo apt-get install fail2ban
View Fail2Ban configuration settings - read only:
nano /etc/fail2ban/jail.conf
This file can be modified by package upgrades - thereby losing customisations - so to make changes, create a jail.local file.
First copy the jail.conf:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Make all amendments to jail.local.
Default setting ignores traffic from the local machine: ignoreip = 127.0.0.1/8
. Additional IP addresses could be added here, by appending to the existing parameter, separating IP addresses with a space.
You could add the local office IP address for example, to prevent accidental lockout.
Check it’s running:
sudo fail2ban-client status
Check Rules
Enter sudo iptables -S
Typical Output:
The –dport number on line 11 corresponds to the number set in firewall rules - SSH connections are accepted on that port.
This means fail2ban port should change. Amend /etc/fail2ban/jail.local
:
Once this change is made, reload fail2ban configuration:
sudo fail2ban-client reload
Because Fail2Ban sets the port as “ssh” bu default, it searches in the /etc/services
file and maps ssh to the named port.
The port is set to 22 in this file by default. Adjusting this value would be another way of pointing Fail2Ban to the right port.
See this Server Fault question.
Handy Fail2Ban commands
sudo fail2ban-client start
- starts the server and the jailssudo fail2ban-client reload
- reloads the configurationsudo fail2ban-client reload <JAIL>
- reloads the jail<JAIL>
sudo fail2ban-client stop
- stops all jails and terminate the serversudo fail2ban-client status
- gets the current status of the serversudo fail2ban-client ping
- tests if the server is alivesudo fail2ban-client help
- return this output
More Fail2Ban commands.
References
comments powered by Disqus