« Setting up a vps with cheapvps.co.uk [part1]
Installing Mysql and Apache [part3] »

Securing my Ubuntu VPS [part2]

24th November 2007, 11:14 pm

Now we’re updated to Gutsy it’s time to secure our system a little

First a firewall. Linux comes with a command called iptables for setting up firewall rules. It can be fairly complicated to use but we only want to do something nice and simple so we can just write the rules by hand.


We’re going to need some information about our vps to set this up so run the command 

#ifconfig

eth0 Link encap:Ethernet HWaddr AA:00:49:94:0F:01
inet addr:10.5.4.3 Bcast:10.5.4.255 Mask:255.255.255.0
inet6 addr: fe80::a800:49ff:fe94:f01/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:232772 errors:0 dropped:0 overruns:0 frame:0
TX packets:326 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24198687 (23.0 MB) TX bytes:48813 (47.6 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

So my ip address is 10.5.4.3 and my external interface is called eth0 (you can ignore the ‘lo’ settings)

Now create the firewall script. Make sure that if your external interface is not called eth0 then change the script below where it references eth0

cat >> /usr/local/bin/firewall.sh << EOF
#!/bin/bash
# Load kernel modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Clear any existing firewall stuff before we start
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device
iptables -A INPUT -i lo -j ACCEPT

# Accept all incoming traffic associated with an established
# connection, or a "related" connection
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow connections to port 22 - ssh. You can add other ports you need in here
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT

# Allow connections from my machines
iptables -A INPUT -p tcp -i eth0 -s 74.237.5.182 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 128.192.6.56 -m state --state NEW -j ACCEPT

# Allow icmp input so that people can ping us
iptables -A INPUT -p icmp -j ACCEPT

# Log then drop any packets that are not allowed. You will probably want to turn off the logging
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
EOF

Chmod the script so that we can run it

chmod 700 /usr/local/bin/firewall.sh

and give it a go

/usr/local/bin/firewall.sh

[If you lose connection to your vps you will need to reboot it via the control panel and try to figure out what is wrong before proceeding]

You can check that things look ok by running

iptables --list

If everything works ok you can add that to your startup script by running

echo /usr/local/bin/firewall.sh >> /etc/rc.local

We’ll want to block hackers and bots that try to brute force guess our passwords using ssh. There is a package called denyhosts for this so run

apt-get install denyhosts -y

Most of the default settings are ok but have a look at /etc/denyhosts.conf and make sure the settings are ok for you. Be warned - it’s possible for you to get locked out too!

Next, we’ll install sudo so we don’t have to run anything as root

apt-get install sudo -y

and create a new user

useradd -s /bin/bash -m -d /home/john john

change the password for the user we’ve just created

passwd john

Now we’re going to setup sudo to allow the user we just created to get ‘root’ access. Obviously change the username to match the user you just created above

cp /etc/sudoers /etc/sudoers.orig
echo "# Defaults" > /etc/sudoers
echo "Defaults !lecture,tty_tickets,!fqdn" >> /etc/sudoers
echo "# User privilege specification" >> /etc/sudoers
echo "root ALL=(ALL) ALL" >> /etc/sudoers
echo "john ALL=(ALL) ALL" >> /etc/sudoers

Now prevent root from ssh’ing into the vps, just allowing the user we created above. Again change the username to the correct one.

echo "AllowUsers john" >> /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

Some people change the port that sshd listens on from port 22 to something else. There are a couple of potential problems with this. Firstly it’s only security by obscurity - it doesn’t prevent people from ssh’ing to your machine if they can find out the port number. A bigger problem could be that a lot of ISPs now ‘traffic shape’ customers internet connections. This means that if you change sshd so that it listens on port 2222, and your ISP slow’s down traffic using port 2222 because it’s sometimes used by trojans, you’ll get very poor performance when ssh’ing or copying files to your server using scp.

Now well setup ntpdate and the time locale so we can keep the correct time one the server

apt-get install ntpdate -y

Now set the timezone. Obviously replace US/Eastern with your timezone

ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime

And set ntpdate to automatically update the time on the server

echo "/usr/sbin/ntpdate pool.ntp.org" > /etc/cron.daily/ntpdate
chmod 755 /etc/cron.daily/ntpdate

If you’d like a warning to people trying to ssh into your machine you can use the following

echo "* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *" > /etc/ssh_banner
echo "* This system is for the use of authorized users only *" >> /etc/ssh_banner
echo "* If you have not been givin express permission to access *" >> /etc/ssh_banner
echo "* this machine then you must disconnect now *" >> /etc/ssh_banner
echo "* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *" >> /etc/ssh_banner
echo "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config

For some reason my vps (running Xen) had not got he swap space enabled

To enable this I needed to do

echo swapon /dev/sda2 >> rc.local

And that will do us for now. We’ve setup a firewall and locked down root access which is a good start.

Now reboot and log back in as the user you created above. You should be able to log in as root now but don’t try too many times or you may end up locking yourself out!

This post is part of a 4 part series that goes from getting a vps, securing it, installing LAMP and installing WordPress.The 4 parts are -

Setting up a vps with cheapvps.co.uk [part1]

Installing Mysql and Apache [part3]

Installing WordPress on a VPS [part4]

My VPS was from cheapvps.co.uk and was running under XEN.

The configuration is 256Mb memory & 10Gb disk space for $18 a month.

The vps was provisioned with Ubuntu Fiesty Fawn but I upgraded that to the latest version - Gutsy Gibbon



Related posts:

  1. iptables for asterisk
  2. Limit SMTP connections for OpenVZ VPS
  3. Installing Mysql and Apache [part3]

Category: Linux, VPS  |  Comment (RSS)  |  Trackback

Leave a comment