VPS Setup Guide: Securing Your Ubuntu Server

TurnKey Internet - Dedicated Server - Dual Hexa-Core - Best Value Deal

Now it’s time to secure your ubuntu server and protect it from unauthorized access. You’ll learn how to disable root login, implement a firewall, SSH key pair authentication, and an automatic malicious user blocking mechanism called Fail2Ban.

Adding a New User

The problem with logging in as root is that you can execute any command - even a command that could accidentally break your server. For this reason and many others, security researchers recommend creating another user account and using that at all times. After you log in with the new account, you’ll still be able to execute superuser commands with the sudo command.

Here’s how to add a new user:

  1. Open a terminal window and log in to your server via SSH.
  2. Create the user by entering the following command. Replace exampleuser with your desired username:

    adduser exampleuser
    
  3. Add the user to the administer the system (admin) group by entering the following command. Replace exampleuser with your username:

    usermod -a -G sudo exampleuser
    
  4. Log out of your server as the root user by entering the following command:

    logout
    
  5. Log in to your server as the new user by entering the following command. Replace exampleuser with your username, and the example IP address with your server’s IP address:

    ssh exampleuser@123.456.78.90
    

Now you can administer your Linode with the new user account instead of root. When you need to execute superuser commands in the future, preface them with sudo.

Using SSH Key Pair Authentication

You can use password authentication to connect to your server via SSH, but there’s a more secure method available: key pair authentication. In this section, you’ll generate a public and private key pair using your desktop computer and then upload the public key to your server. SSH connections will be authenticated by matching the public key with the private key stored on your desktop computer - you won’t need to type your account password. When combined with the steps outlined later in this guide that disable password authentication entirely, key pair authentication can protect against brute-force password cracking attacks.

You may skip this section if you need to access your server from several different machines and different devices. Or if you want other developers or sysadmins to access this server with the password.

With ssh key pair authentication enabled, you can only login from specific devices of your choice and cannot be logged in from any other device even if you or an attacker knows the password of your server.

Here’s how to use SSH key pair authentication to connect to your Linode:

  1. Generate the SSH keys on a desktop computer running Linux or Mac OS X by entering the following command in a terminal window on your desktop/laptop computer. PuTTY users can generate the SSH keys by following the windows specific instructions in the Use Public Key Authentication with SSH Guide.

    ssh-keygen
    
  2. Once you have entered the Gen Key command, you will get a few more questions like the following:

    Enter file in which to save the key (~/.ssh/id_rsa):
    

You can press enter here, saving the file to the user home.

    Enter passphrase (empty for no passphrase):

It's up to you whether you want to use a passphrase. Entering a passphrase does have its benefits: the security of a key, no matter how encrypted, still depends on the fact that it is not visible to anyone else. Should a passphrase-protected private key fall into an unauthorized users possession, they will be unable to log in to its associated accounts until they figure out the passphrase. The only downside, of course, to having a passphrase, is then having to type it in each time you use the Key Pair.

The public key is now located in ~/.ssh/id_rsa.pub The private key (identification) is now located in ~/.ssh/id_rsa. Please note that you should never share your private key with others or upload it to the server. You only need to upload the public key to the server to authenticate your device to the server.

Copy the Public Key

Once the key pair is generated, it's time to place the public key on the virtual server that we want to use.

You can copy the public key into the new machine's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.

ssh-copy-id user@123.45.56.78

you should see something like:

The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established.
RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12.
Are you sure you want to continue connecting (yes/no)?

You should type yes to the prompt and then press enter.

Now you can go ahead and ssh into your server (ssh user@12.34.56.78) and you won't be asked for a password because the server will identify your machine's ssh key and let you login automatically.

Disabling SSH Password Authentication and Root Login

You just strengthened the security of your server by adding a new user and generating SSH keys. Now it’s time to make some changes to the default SSH configuration. First, you’ll disable password authentication to require all users connecting via SSH to use key authentication. Next, you’ll disable root login to prevent the root user from logging in via SSH. These steps are optional, but are strongly recommended.

Note: You may want to leave password authentication enabled if you connect to your server from many different desktop computers. That will allow you to authenticate with a password instead of copying the private key to every computer.

Here’s how to disable SSH password authentication and root login:

  1. Open the SSH configuration file for editing by entering the following command:

    sudo vi /etc/ssh/sshd_config
    
  2. To start editing the file, type i to start the edit mode. Change the PasswordAuthentication setting to no as shown below. Verify that the line is uncommented by removing the # in front of the line, if there is one.:

    PasswordAuthentication no
    
  3. Change the PermitRootLogin setting to no as shown below:

    PermitRootLogin no
    
  4. Save the changes to the SSH configuration file by pressing ESC and then typing :x (colon followed by x) and then pressing Enter.

  5. Restart the SSH service to load the new configuration. Enter the following command:

    sudo service ssh restart
    

After the SSH service restarts, the SSH configuration changes will be applied.

Creating a Firewall

Now it’s time to set up a firewall to limit and block unwanted inbound traffic to your server. This step is optional, but it is strongly recommended that you use the example below to block traffic to ports that are not commonly used. It’s a good way to deter would-be intruders! You can always modify the rules or disable the firewall later.

  1. Create a file to hold your firewall rules by entering the following command:

    sudo vi /etc/iptables.firewall.rules
    
  2. Type i to activate editing mode. Copy and paste the rules shown below:

    *filter
    
    
    #  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT -d 127.0.0.0/8 -j REJECT
    
    
    #  Accept all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    
    #  Allow all outbound traffic - you can modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT
    
    
    #  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    
    
    #  Allow SSH connections
    #
    #  The -dport number should be the same port number you set in sshd_config
    #
    -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
    
    
    #  Allow ping
    -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    
    
    #  Log iptables denied calls
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    
    
    #  Drop all other inbound - default deny unless explicitly allowed policy
    -A INPUT -j DROP
    -A FORWARD -j DROP
    
    
    COMMIT
    
  3. Edit the rules as necessary. By default, the rules will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked. Now save the changes to the file by pressing ESC, then typing :q and then pressing Enter.

  4. Now activate the firewall rules by entering the following command:

    sudo iptables-restore < /etc/iptables.firewall.rules
    
  5. Now you need to ensure that the firewall rules are activated every time you restart your server.

    Start by creating a new script with the following command:

    sudo vi /etc/network/if-pre-up.d/firewall
    

    Type i to activate edit mode, then Copy and paste the following lines:

    #!/bin/sh
    /sbin/iptables-restore < /etc/iptables.firewall.rules
    

    Now save the script by pressing ESC then :q then Enter.

    Set the script’s permissions by entering the following command:

    sudo chmod +x /etc/network/if-pre-up.d/firewall
    

That’s it! Your firewall rules are in place and protecting your server. Remember, you may need to edit the firewall rules later if you install other software or services that communicate in ports other than the allowed ports set into your firewall.

Installing and Configuring Fail2Ban

Fail2Ban is an application that prevents dictionary attacks on your server. When Fail2Ban detects multiple failed login attempts from the same IP address, it creates temporary firewall rules that block traffic from the attacker’s IP address. Attempted logins can be monitored on a variety of protocols, including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only.

Here’s how to install and configure Fail2Ban:

  1. Install Fail2Ban by entering the following command:

    sudo apt-get install fail2ban
    
  2. Optionally, you can override the default Fail2Ban configuration by creating a new jail.conf file. Enter the following command to create the file:

    sudo vi /etc/fail2ban/jail.conf
    
  3. Type i to start editing the file. Set the bantime variable to specify how long (in seconds) an ip should be kept banned for failed login attempts.

  4. Set the maxretry variable to specify the default number of tries a connection may be attempted before an attacker’s IP address is banned.

  5. Press ESC then :q then Enter to save the configuration file.

  6. Restart Fail2Ban for your configuration changes to take effect.

    sudo service fail2ban restart
    

Fail2Ban is now installed and running on your server. It will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in /var/log/fail2ban.log.

There are many other server hardening techniques to protect a server from unauthorized access, but those are out of the scope of this article. For most apps, these settings are sufficient to secure your server.

TurnKey Internet - Cloud Servers - Best Value Deal