Securing my Ubuntu VPS [part2]

Now we’re updated to Gutsy it’s time to secure our system a little

First a firewall. Linux comes with a command called iptables for setting up firewall rules. It can be fairly complicated to use but we only want to do something nice and simple so we can just write the rules by hand.


We’re going to need some information about our vps to set this up so run the command

#ifconfig

eth0 Link encap:Ethernet HWaddr AA:00:49:94:0F:01
inet addr:10.5.4.3 Bcast:10.5.4.255 Mask:255.255.255.0
inet6 addr: fe80::a800:49ff:fe94:f01/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:232772 errors:0 dropped:0 overruns:0 frame:0
TX packets:326 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24198687 (23.0 MB) TX bytes:48813 (47.6 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

So my ip address is 10.5.4.3 and my external interface is called eth0 (you can ignore the ‘lo’ settings)

Now create the firewall script. Make sure that if your external interface is not called eth0 then change the script below where it references eth0

cat >> /usr/local/bin/firewall.sh << EOF
#!/bin/bash
# Load kernel modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Clear any existing firewall stuff before we start
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device
iptables -A INPUT -i lo -j ACCEPT

# Accept all incoming traffic associated with an established
# connection, or a "related" connection
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow connections to port 22 - ssh. You can add other ports you need in here
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT

# Allow connections from my machines
iptables -A INPUT -p tcp -i eth0 -s 74.237.5.182 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 128.192.6.56 -m state --state NEW -j ACCEPT

# Allow icmp input so that people can ping us
iptables -A INPUT -p icmp -j ACCEPT

# Log then drop any packets that are not allowed. You will probably want to turn off the logging
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
EOF

Chmod the script so that we can run it

chmod 700 /usr/local/bin/firewall.sh

and give it a go

/usr/local/bin/firewall.sh

[If you lose connection to your vps you will need to reboot it via the control panel and try to figure out what is wrong before proceeding]

You can check that things look ok by running

iptables --list

If everything works ok you can add that to your startup script by running

echo /usr/local/bin/firewall.sh >> /etc/rc.local

We’ll want to block hackers and bots that try to brute force guess our passwords using ssh. There is a package called denyhosts for this so run

apt-get install denyhosts -y

Most of the default settings are ok but have a look at /etc/denyhosts.conf and make sure the settings are ok for you. Be warned – it’s possible for you to get locked out too!

Next, we’ll install sudo so we don’t have to run anything as root

apt-get install sudo -y

and create a new user

useradd -s /bin/bash -m -d /home/john john

change the password for the user we’ve just created

passwd john

Now we’re going to setup sudo to allow the user we just created to get ‘root’ access. Obviously change the username to match the user you just created above

cp /etc/sudoers /etc/sudoers.orig
echo "# Defaults" > /etc/sudoers
echo "Defaults !lecture,tty_tickets,!fqdn" >> /etc/sudoers
echo "# User privilege specification" >> /etc/sudoers
echo "root ALL=(ALL) ALL" >> /etc/sudoers
echo "john ALL=(ALL) ALL" >> /etc/sudoers

Now prevent root from ssh’ing into the vps, just allowing the user we created above. Again change the username to the correct one.

echo "AllowUsers john" >> /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

Some people change the port that sshd listens on from port 22 to something else. There are a couple of potential problems with this. Firstly it’s only security by obscurity – it doesn’t prevent people from ssh’ing to your machine if they can find out the port number. A bigger problem could be that a lot of ISPs now ‘traffic shape’ customers internet connections. This means that if you change sshd so that it listens on port 2222, and your ISP slow’s down traffic using port 2222 because it’s sometimes used by trojans, you’ll get very poor performance when ssh’ing or copying files to your server using scp.

Now well setup ntpdate and the time locale so we can keep the correct time one the server

apt-get install ntpdate -y

Now set the timezone. Obviously replace US/Eastern with your timezone

ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime

And set ntpdate to automatically update the time on the server

echo "/usr/sbin/ntpdate pool.ntp.org" > /etc/cron.daily/ntpdate
chmod 755 /etc/cron.daily/ntpdate

If you’d like a warning to people trying to ssh into your machine you can use the following

echo "* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *" > /etc/ssh_banner
echo "* This system is for the use of authorized users only *" >> /etc/ssh_banner
echo "* If you have not been givin express permission to access *" >> /etc/ssh_banner
echo "* this machine then you must disconnect now *" >> /etc/ssh_banner
echo "* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *" >> /etc/ssh_banner
echo "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config

For some reason my vps (running Xen) had not got he swap space enabled

To enable this I needed to do

echo swapon /dev/sda2 >> rc.local

And that will do us for now. We’ve setup a firewall and locked down root access which is a good start.

Now reboot and log back in as the user you created above. You should be able to log in as root now but don’t try too many times or you may end up locking yourself out!


This post is part of a 4 part series that goes from getting a vps, securing it, installing LAMP and installing WordPress.The 4 parts are –

Setting up a vps with cheapvps.co.uk [part1]

Installing Mysql and Apache [part3]

Installing WordPress on a VPS [part4]

My VPS was from cheapvps.co.uk and was running under XEN.

The configuration is 256Mb memory & 10Gb disk space for $18 a month.

The vps was provisioned with Ubuntu Fiesty Fawn but I upgraded that to the latest version – Gutsy Gibbon

1 thought on “Securing my Ubuntu VPS [part2]

  1. john1345

    I consider spamming my blog with this rubbish while using a fake name and e-mail address extremely poor. I know nothing about this company other than their poor marketing techniques. My advice would be – DO NOT USE ECVPS DOT COM

    this is our price plan detail

    Ecvps-1
    20GB Diskspace
    500GB Bandwidth
    Only For $ 10/month ——— now with $5 first month or 10% off everymonth

    Ecvps-2
    40 GB Diskspace
    1000 GB Bandwidth
    Only For $ 19/month ——— now with 9.5 first month or 10% off everymonth

    Ecvps-3
    80 GB Diskspace
    1500 GB Bandwidth
    Only For $35/month ——— now with 17.5 first month or 10% off everymonth

    50%off half price for first month
    10%OFF 10%off everymonth (Recurring )

    And this are including basic managment

    and if you are looking for more plan, please go to ecvps DOT com/client/cart.php

    How about our network?

    We are using dallas ( softlayer )

    FAQ

    Q: Do you oversell our Resources?

    A: We Never oversell our server resources, so that mean, if you buy our vps hosting, you will be able to use all of your web space, Bandwidth etc.

    Q: Do you allow IRC?

    A: Yes

    Q: Do you allow any adult content?

    A: Yes, but it must be legal.

    Q: If I have a problem with control panel, e.g. setup a mysql, ftp etc, what can I do?

    A: We are always here, please don’t be shy to contact us.

    Q: How long does it take for my vps setup?

    A: It usually takes few minutes to setup, if you wait for up to an hour, but the vps still not setup, please contact us.

    Q: I would like to apply the free trial account , what can I do?

    A: Simple to email us or find us on the front page ( web chat )

    Q: May I have more detail of free trial account ?

    A: Free trial account goes with one Dedicated IP, and 3 days for free, after 3 days, if you would like to join us, we won’t delete your vps account.

    Q: How many servers have ECVPS got at this moment?

    A: We got three servers at this moment, two are using softlayer ( Dallas ), one with using FDCserver ( Chicago ), but two of the Dallas’s server are using Xeon + 8GB ram, only the Chicago not. So we strongly recommend our customers to use Dallas server. By the default, all customers will be use Dallas.

    If this detail not solve your problem, please go to our website to contact us.

    And again, please don’t be shy, we are here to help all of you!

    Thanks
    ecvps DOT com

Comments are closed.