Ubuntu 14.04

If you just logged in to a fresh installation of Ubuntu 14.04 (Trusty Tahr), there are a few steps you’ll want to take immediately to help secure your new server. The IP blocks used by the various VPS providers are constantly being scanned, and brute force attacks will begin even if you’re deploying the machine for the first time. In fact, a VPS I created with DigitalOcean today started receiving failed root login attempts just five minutes after creation.

Oct  5 17:51:12 ottsrv sshd[849]: Server listening on 0.0.0.0 port 22.
Oct  5 17:51:12 ottsrv sshd[849]: Server listening on :: port 22.
Oct  5 17:55:46 ottsrv sshd[1048]: Failed password for root from 103.23.244.22 port 46859 ssh2
Oct  5 17:55:46 ottsrv sshd[1048]: Received disconnect from 103.23.244.22: 11: Bye Bye [preauth]

User Accounts

Right away you’ll want to change the root password, create a new user account for yourself, and give that account the appropriate privileges. After this initial session, you should never log in as the root user again. Instead, you’ll be able to perform administrative tasks by preceding those commands with sudo.

Here the user being added is james. Just change that to your desired username.

adduser james

You’ll be prompted to set and confirm the user’s password. After that, you’ll be asked for additional information such as name and number. These are optional and can be skipped by hitting enter.

usermod -a -G sudo james

This adds the user to the sudo group so that they can run administrative commands without being root. If this user were already logged in, they would have to log out and back in before they could see the changes.

SSH Configuration

Now, the SSH configuration file can be updated to make our server less of a target. These changes are optional, but are strongly recommended to help secure your server.

nano /etc/ssh/sshd_config

By default, the SSH service (sshd) is listening on the default port which is part of why the attacks mentioned earlier began so quickly. Changing the port sshd listens on won’t stop these attacks, but it should make them a lot less likely.

Update Port 22  to any number between 1025 and 65535. Make a note of the new port as you’ll need it later in this tutorial as well as for updating your own ssh client.

Port 40210

Since your user was added to the sudo group, you should no longer log in directly as root. Change PermitRootLogin yes to no to prevent root from being used to log in via ssh.

You can use AllowUsers to specify which users are permitted to use SSH. This parameter is probably not in your file, so add it to the end of your file as a new row.

AllowUsers james

You can add multiple users to the list by separating them with a space.

AllowUsers james snacks

If you experience delays of ten seconds or more when logging in, consider turning off UseDNS. Setting this to no disables most of the server-side lookups. If you later want to look up the host for a particular IP, the command nslookup can be used.

UseDNS no

All of these changes can be applied at once by using sed.  You’ll just want to swap out the appropriate values in the this example.

sed -i.bak -e "s/^Port 22/Port 40210/" \
  -e "s/^PermitRootLogin yes/PermitRootLogin no/" \
  -e "$ a\UseDNS no" \
  -e "$ a\AllowUsers james" /etc/ssh/sshd_config

Because there’s an extension specified after -i , we’re left with a backup of the original named ssh_config.bak.

Firewall

Use iptables to implement rules that can limit or block IPv4 traffic from reaching your server. If your server also uses IPv6, you’ll have to configure those rules separately using ip6tables.

List the existing rules to make sure they are empty.

iptables -L

If they’re empty, you’ll see three empty chains.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If the chains are not empty, and you’ve determined they’re unnecessary, you can clear them all out.

iptables -F

Rather than add the rules individually, we can save them all to a file.

nano /root/iptables.base

The rules below restrict incoming traffic to HTTP, HTTPS, and the new SSH port. If the SSH port here and the one in your sshd_config are not the same you will lock yourself out. If you don’t plan on using HTTPS the line should be omitted.

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 40210 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

Now, load the rules.

iptables-restore < /root/iptables.base

Check that the rules were loaded using -L like before.

root@localhost:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40210
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

The rules are in place, but right now they will be lost if the machine reboots. There’s a package that will take care loading the rules after a reboot automatically.

apt-get install iptables-persistent

During the installation, you’ll want to choose yes when asked whether the existing rules should be saved. Your rules will now be saved to /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

Final Steps

Do not close the existing root session until have confirmed your access to avoid locking yourself out.

Restart the SSH service to apply the changes made earlier.

service ssh restart

Open a new terminal and attempt to connect to your server with the new port and user. Once connected, test if you have administrative permissions by attempting to update our package index.

sudo apt-get update

You will be prompted to enter your password. If you encounter an error message you either entered the wrong password or your permissions aren’t right and you’ll want to go back to your root session to correct them. Otherwise, lines should begun scrolling by as your packages are updated.

Upgrade any installed packages that have newer versions available.

apt-get -y upgrade

You now have an Ubuntu 14.04 server that’s much more secure and is running current packages. If you want to do more to secure your server, you can install fail2ban and replace password authentication with SSH keys. If you want to host a website, look into a LEMP or LAMP stack.

%d bloggers like this: