Dev Notes

Software Development Resources by David Egan.

Securing a Ubuntu 14.04 Server


Linux, Security, Sysadmin, Ubuntu
David Egan

These guidelines assume a fresh install of Ubuntu 14.04.

Secure SSH Access

The most important step is probably to change the default port for SSH.

Change the default SSH port.

Many brute force hacking attempts target the username “root” on port 22.

Simply changing the port can reduce the number of malicious login attempts drastically.

Change the SSH port number to something between 1025 and 65536. The Server’s SSH connections will then look to the new port number.

In Ubuntu the SSH port is set in:

/etc/ssh/sshd_config.

Before going any further, backup the config file!

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

Open the config file and amend the port number (first uncommented line in the file):

sudo nano /etc/ssh/sshd_config

Restart SSH to enable the changes:

service ssh restart or

/etc/init.d/sshd restart

TEST THE NEW CONFIGURATION

Keep your terminal open, and try to log in with a new terminal. In this way, if you can’t login you still have server access.

Remember to specify the correct port number (see below).

SSH Login - Non Standard Port

Assuming the SSH port is 1234.

SSH login: ssh -p 1234 user@12.34.567.89

Using scp: scp -P 1234 username@12.34.567.89:/path/file.txt Note: uppercase P is necessary - lowercase p is an scp switch.

Using rsync: rsync --progress -a -v -rz --checksum --delete -e "ssh -p 1234" _site/ user@12.34.567.89:/var/www/path/directory

Root Login

Once the SSH port has been reset, prevent root login with password. Root will still be able to gain access by means of public SSH keys - which can be set up on your local machine.

Amend the following block in /etc/ssh/sshd_config

# Authentication:
LoginGraceTime 120
# root can't log in via SSH & password - allows root login only with public key
PermitRootLogin without-password
StrictModes yes

Alternatively, prevent root access altogether: PermitRootLogin no

Make sure you’ve created a new user with sudo privileges before doing this.

After making changes to SSH configuration, restart SSH: /etc/init.d/sshd restart

Set up a Firewall

Enter sudo iptables -L, will return an empty ruleset:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Make a file for firewall rules:

sudo nano /etc/iptables.firewall.rules

…and add some rules:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 1234 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Activate rules:

sudo iptables-restore < /etc/iptables.firewall.rules

Amend /etc/iptables.firewall.rules as necessary.


Check you Still Have SSH Access

The firewall rules set the port number for SSH access - this should correspond to the value set in /etc/ssh/sshd_config.

Make sure!

While still logged in on one terminal, open a new terminal and check SSH connection is still functional.

Apply Firewall Rules When System Reboots

sudo nano /etc/network/if-pre-up.d/firewall

Add:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Save, make executable:

sudo chmod +x /etc/network/if-pre-up.d/firewall

Fail2Ban

Fail2Ban Manual

sudo apt-get install fail2ban

View Fail2Ban configuration settings - read only:

nano /etc/fail2ban/jail.conf

This file can be modified by package upgrades - thereby losing customisations - so to make changes, create a jail.local file.

First copy the jail.conf:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Make all amendments to jail.local.

Default setting ignores traffic from the local machine: ignoreip = 127.0.0.1/8. Additional IP addresses could be added here, by appending to the existing parameter, separating IP addresses with a space.

You could add the local office IP address for example, to prevent accidental lockout.

Check it’s running: sudo fail2ban-client status

Check Rules

Enter sudo iptables -S

Typical Output:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
-A fail2ban-ssh -j RETURN

The –dport number on line 11 corresponds to the number set in firewall rules - SSH connections are accepted on that port.

This means fail2ban port should change. Amend /etc/fail2ban/jail.local:

[ssh]

enabled  = true
# change the port from ssh to the proper value
#port     = ssh
port   = 12345
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

Once this change is made, reload fail2ban configuration:

sudo fail2ban-client reload

Because Fail2Ban sets the port as “ssh” bu default, it searches in the /etc/services file and maps ssh to the named port.

The port is set to 22 in this file by default. Adjusting this value would be another way of pointing Fail2Ban to the right port.

See this Server Fault question.

Handy Fail2Ban commands

  • sudo fail2ban-client start - starts the server and the jails
  • sudo fail2ban-client reload - reloads the configuration
  • sudo fail2ban-client reload <JAIL> - reloads the jail <JAIL>
  • sudo fail2ban-client stop - stops all jails and terminate the server
  • sudo fail2ban-client status - gets the current status of the server
  • sudo fail2ban-client ping - tests if the server is alive
  • sudo fail2ban-client help - return this output

More Fail2Ban commands.


References


comments powered by Disqus