Now we’re updated to Gutsy it’s time to secure our system a little
First a firewall. Linux comes with a command called iptables for setting up firewall rules. It can be fairly complicated to use but we only want to do something nice and simple so we can just write the rules by hand.
We’re going to need some information about our vps to set this up so run the command
#ifconfig eth0 Link encap:Ethernet HWaddr AA:00:49:94:0F:01 inet addr:10.5.4.3 Bcast:10.5.4.255 Mask:255.255.255.0 inet6 addr: fe80::a800:49ff:fe94:f01/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:232772 errors:0 dropped:0 overruns:0 frame:0 TX packets:326 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:24198687 (23.0 MB) TX bytes:48813 (47.6 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
So my ip address is 10.5.4.3 and my external interface is called eth0 (you can ignore the ‘lo’ settings)
Now create the firewall script. Make sure that if your external interface is not called eth0 then change the script below where it references eth0
cat >> /usr/local/bin/firewall.sh << EOF #!/bin/bash # Load kernel modules modprobe ip_conntrack modprobe ip_conntrack_ftp # Clear any existing firewall stuff before we start iptables --flush iptables -t nat --flush iptables -t mangle --flush # As the default policies, drop all incoming traffic but allow all # outgoing traffic. This will allow us to make outgoing connections # from any port, but will only allow incoming connections on the ports # specified below. iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT # Allow all incoming traffic if it is coming from the local loopback device iptables -A INPUT -i lo -j ACCEPT # Accept all incoming traffic associated with an established # connection, or a "related" connection iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow connections to port 22 - ssh. You can add other ports you need in here iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT # Allow connections from my machines iptables -A INPUT -p tcp -i eth0 -s 126.96.36.199 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 -s 188.8.131.52 -m state --state NEW -j ACCEPT # Allow icmp input so that people can ping us iptables -A INPUT -p icmp -j ACCEPT # Log then drop any packets that are not allowed. You will probably want to turn off the logging iptables -A INPUT -j LOG iptables -A INPUT -j REJECT EOF
Chmod the script so that we can run it
chmod 700 /usr/local/bin/firewall.sh
and give it a go
/usr/local/bin/firewall.sh[If you lose connection to your vps you will need to reboot it via the control panel and try to figure out what is wrong before proceeding]
You can check that things look ok by running
If everything works ok you can add that to your startup script by running
echo /usr/local/bin/firewall.sh >> /etc/rc.local
We’ll want to block hackers and bots that try to brute force guess our passwords using ssh. There is a package called denyhosts for this so run
apt-get install denyhosts -y
Most of the default settings are ok but have a look at /etc/denyhosts.conf and make sure the settings are ok for you. Be warned – it’s possible for you to get locked out too!
Next, we’ll install sudo so we don’t have to run anything as root
apt-get install sudo -y
and create a new user
useradd -s /bin/bash -m -d /home/john john
change the password for the user we’ve just created
Now we’re going to setup sudo to allow the user we just created to get ‘root’ access. Obviously change the username to match the user you just created above
cp /etc/sudoers /etc/sudoers.orig echo "# Defaults" > /etc/sudoers echo "Defaults !lecture,tty_tickets,!fqdn" >> /etc/sudoers echo "# User privilege specification" >> /etc/sudoers echo "root ALL=(ALL) ALL" >> /etc/sudoers echo "john ALL=(ALL) ALL" >> /etc/sudoers
Now prevent root from ssh’ing into the vps, just allowing the user we created above. Again change the username to the correct one.
echo "AllowUsers john" >> /etc/ssh/sshd_config sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
Some people change the port that sshd listens on from port 22 to something else. There are a couple of potential problems with this. Firstly it’s only security by obscurity – it doesn’t prevent people from ssh’ing to your machine if they can find out the port number. A bigger problem could be that a lot of ISPs now ‘traffic shape’ customers internet connections. This means that if you change sshd so that it listens on port 2222, and your ISP slow’s down traffic using port 2222 because it’s sometimes used by trojans, you’ll get very poor performance when ssh’ing or copying files to your server using scp.
Now well setup ntpdate and the time locale so we can keep the correct time one the server
apt-get install ntpdate -y
Now set the timezone. Obviously replace US/Eastern with your timezone
ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime
And set ntpdate to automatically update the time on the server
echo "/usr/sbin/ntpdate pool.ntp.org" > /etc/cron.daily/ntpdate chmod 755 /etc/cron.daily/ntpdate
If you’d like a warning to people trying to ssh into your machine you can use the following
echo "* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *" > /etc/ssh_banner echo "* This system is for the use of authorized users only *" >> /etc/ssh_banner echo "* If you have not been givin express permission to access *" >> /etc/ssh_banner echo "* this machine then you must disconnect now *" >> /etc/ssh_banner echo "* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *" >> /etc/ssh_banner echo "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config
For some reason my vps (running Xen) had not got he swap space enabled
To enable this I needed to do
echo swapon /dev/sda2 >> rc.local
And that will do us for now. We’ve setup a firewall and locked down root access which is a good start.
Now reboot and log back in as the user you created above. You should be able to log in as root now but don’t try too many times or you may end up locking yourself out!
This post is part of a 4 part series that goes from getting a vps, securing it, installing LAMP and installing WordPress.The 4 parts are –
Setting up a vps with cheapvps.co.uk [part1]
The configuration is 256Mb memory & 10Gb disk space for $18 a month.
The vps was provisioned with Ubuntu Fiesty Fawn but I upgraded that to the latest version – Gutsy Gibbon