Practical Web Programming

Monday, January 04, 2016

Basic Security Installs for Ubuntu

The original idea of this post was taken from My First 5 Minutes On A Server; Or, Essential Security for Linux Servers. As I build my server, I follow it but some of it's recommendation does not fit my requirements (ex: connecting via SSH only on certains IPs, which locked me out on several occasions). This post is my own "concoction". This assumes that you already have a fresh server running with only root as user.
  1. Login as root and set root password
    passwd
    
    It's always good to use a strong root password. I recommend Random Password Generator for this.
  2. Update Ubuntu
    apt-get update
    apt-get upgrade
    
  3. Install Fail2ban
    apt-get install fail2ban
    
    Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box.
  4. Create user and set-up user folders
    useradd deploy
    mkdir /home/deploy
    mkdir /home/deploy/.ssh
    chmod 700 /home/deploy/.ssh
    
  5. Change deploy user's login shell with the 'chsh' command. This will make sure that deploy user will have a more interactive shell.
    sudo chsh -s /bin/bash deploy
    
  6. Require public key authentication for logging in
    vim /home/deploy/.ssh/authorized_keys
    
    Copy and paste the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to the /home/deploy/.ssh/authorized_keys file. Save and close the file.
  7. Lock down authorized_keys file and change owner of user folder
    chmod 400 /home/deploy/.ssh/authorized_keys
    chown deploy:deploy /home/deploy -R
    
  8. Test the new user (deploy) in a new terminal window
    ssh deploy@<IP_OF_DROPLET>
    
  9. While connected as deploy, generate SSH key. This will be used when connecting to github or bitbucket
    ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
    
  10. Logout user (deploy), close the the terminal and go back to the terminal where you are logged as root.
    exit
    
  11. Change deploy user password. This password will be used when doing sudo commands
    passwd deploy
    
  12. Change default text editor to your preference (I like Vim)
    update-alternatives --config editor
    
  13. Comment all existing user/group grant lines
    visudo
    
    Add the following line:
    root    ALL=(ALL:ALL) ALL
    deploy  ALL=(ALL:ALL) ALL
    
    This will grant sudo access to the deploy user when they enter the proper password.
  14. Set up a firewall to further secure the server using ufw.
    ufw allow 22
    ufw allow 80
    ufw allow 443
    ufw enable
    
  15. Enable automatic security updates
    apt-get install unattended-upgrades
    
    vim /etc/apt/apt.conf.d/10periodic
    
    Update the file to look like this:
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::AutocleanInterval "7";
    APT::Periodic::Unattended-Upgrade "1";
    
    One more config file to edit:
    vim /etc/apt/apt.conf.d/50unattended-upgrades
    
    Update the file to look like below. This will enable security updates only:
    Unattended-Upgrade::Allowed-Origins {
            "Ubuntu lucid-security";
    //      "Ubuntu lucid-updates";
    };
    
    or
    Unattended-Upgrade::Allowed-Origins {
            "${distro_id}:${distro_codename}";
            "${distro_id}:${distro_codename}-security";
    //      "${distro_id}:${distro_codename}-updates";
    //      "${distro_id}:${distro_codename}-proposed";
    //      "${distro_id}:${distro_codename}-backports";
    };
    
  16. Restart server and you're done!
    reboot
    

0 comments:

Recent Post