If you just logged in to a fresh installation of Ubuntu 14.04 (Trusty Tahr), there are a few steps you’ll want to take immediately to help secure your new server. The IP blocks used by the various VPS providers are constantly being scanned, and brute force attacks will begin even if you’re deploying the machine for the first time. In fact, a VPS I created with DigitalOcean today started receiving failed root login attempts just five minutes after creation.
Oct 5 17:51:12 ottsrv sshd: Server listening on 0.0.0.0 port 22. Oct 5 17:51:12 ottsrv sshd: Server listening on :: port 22. Oct 5 17:55:46 ottsrv sshd: Failed password for root from 220.127.116.11 port 46859 ssh2 Oct 5 17:55:46 ottsrv sshd: Received disconnect from 18.104.22.168: 11: Bye Bye [preauth]
Right away you’ll want to change the root password, create a new user account for yourself, and give that account the appropriate privileges. After this initial session, you should never log in as the root user again. Instead, you’ll be able to perform administrative tasks by preceding those commands with
Here the user being added is james. Just change that to your desired username.
You’ll be prompted to set and confirm the user’s password. After that, you’ll be asked for additional information such as name and number. These are optional and can be skipped by hitting enter.
usermod -a -G sudo james
This adds the user to the sudo group so that they can run administrative commands without being root. If this user were already logged in, they would have to log out and back in before they could see the changes.
Now, the SSH configuration file can be updated to make our server less of a target. These changes are optional, but are strongly recommended to help secure your server.
By default, the SSH service (sshd) is listening on the default port which is part of why the attacks mentioned earlier began so quickly. Changing the port sshd listens on won’t stop these attacks, but it should make them a lot less likely.
Port 22 to any number between 1025 and 65535. Make a note of the new port as you’ll need it later in this tutorial as well as for updating your own ssh client.
Since your user was added to the sudo group, you should no longer log in directly as root. Change
PermitRootLogin yes to no to prevent root from being used to log in via ssh.
You can use
AllowUsers to specify which users are permitted to use SSH. This parameter is probably not in your file, so add it to the end of your file as a new row.
You can add multiple users to the list by separating them with a space.
AllowUsers james snacks
If you experience delays of ten seconds or more when logging in, consider turning off
UseDNS. Setting this to no disables most of the server-side lookups. If you later want to look up the host for a particular IP, the command
nslookup can be used.
All of these changes can be applied at once by using
sed. You’ll just want to swap out the appropriate values in the this example.
sed -i.bak -e "s/^Port 22/Port 40210/" \ -e "s/^PermitRootLogin yes/PermitRootLogin no/" \ -e "$ a\UseDNS no" \ -e "$ a\AllowUsers james" /etc/ssh/sshd_config
Because there’s an extension specified after -i , we’re left with a backup of the original named ssh_config.bak.
iptables to implement rules that can limit or block IPv4 traffic from reaching your server. If your server also uses IPv6, you’ll have to configure those rules separately using
List the existing rules to make sure they are empty.
If they’re empty, you’ll see three empty chains.
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
If the chains are not empty, and you’ve determined they’re unnecessary, you can clear them all out.
Rather than add the rules individually, we can save them all to a file.
The rules below restrict incoming traffic to HTTP, HTTPS, and the new SSH port. If the SSH port here and the one in your sshd_config are not the same you will lock yourself out. If you don’t plan on using HTTPS the line should be omitted.
*filter -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 40210 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j DROP -A FORWARD -j DROP COMMIT
Now, load the rules.
iptables-restore < /root/iptables.base
Check that the rules were loaded using -L like before.
root@localhost:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40210 LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
The rules are in place, but right now they will be lost if the machine reboots. There’s a package that will take care loading the rules after a reboot automatically.
apt-get install iptables-persistent
During the installation, you’ll want to choose yes when asked whether the existing rules should be saved. Your rules will now be saved to /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
Do not close the existing root session until have confirmed your access to avoid locking yourself out.
Restart the SSH service to apply the changes made earlier.
service ssh restart
Open a new terminal and attempt to connect to your server with the new port and user. Once connected, test if you have administrative permissions by attempting to update our package index.
sudo apt-get update
You will be prompted to enter your password. If you encounter an error message you either entered the wrong password or your permissions aren’t right and you’ll want to go back to your root session to correct them. Otherwise, lines should begun scrolling by as your packages are updated.
Upgrade any installed packages that have newer versions available.
apt-get -y upgrade
You now have an Ubuntu 14.04 server that’s much more secure and is running current packages. If you want to do more to secure your server, you can install fail2ban and replace password authentication with SSH keys. If you want to host a website, look into a LEMP or LAMP stack.