Before I get going with too many tutorials, it might be a good idea to just step back and talk about the very first thing you should be doing from the start: securing your server!
Luckily this doesn't need to take a long time - we can secure things pretty quickly. Let's get started!
STEP 1 - Update your server
Depending on your Linux distribution, your install ISO/DVD could be months or even years old! Running updates on your server immediately will help get any vulnerable packages updated. We can do this in two lines:
sudo apt-get update
sudo apt-get upgrade
STEP 2 - Disable root access via SSH
If you've ever watched your SSH logs after starting up a server, you'll notice one thing very quickly: a lot of people are trying to access your server. The other thing you'll notice is 95% of them are trying to access it via the root user.
Let's disable the root login by editing the sshd_config file.
sudo nano /etc/ssh/sshd_config
Find the PermitRootLogin line and change it to "no":
STEP 3 - Change your SSH port
After Step 2, you'll notice your logs still are full of login attempts. Even though they can't get in as the root user, they'll still keep trying. Let's change the OpenSSH server to use a different port. Open the sshd_config file once more and edit the "Port" line to use an atypical number. For example:
Restart your SSH server in order to pickup the changes from Steps 2 and 3
sudo service ssh restart
STEP 3.5 - Use SSH Key-based Logins
While this is a great to do on public-facing production servers, it's really not necessary to need to be done on internal or development servers. If attackers can't log in as root or even figure out what port SSH is on, you're already avoiding 99.99% of attacks. If you're interested in setting up key-based logins, check out this article from Ubuntu.
STEP 4 - Enable your firewall
Most Linux distributions come with iptables by default. Iptables is a very powerful firewall but has quite a steep learning curve for those of us coming from a Windows Server background (don't hate!). While I plan on creating an iptables tutorial in the future, a much easier frontend for iptables is UFW.
sudo apt-get install ufw
UFW's context is very simple. The command is simply "ufw allow" followed by a port number. For example, this would open up traffic for an http server:
ufw allow 80
For popular protocols, you can use the protocol name to do the same thing:
ufw allow http
Make sure to allow the custom port number you gave your SSH server, otherwise you'll lock yourself out! After you have all the rules added, just enable the firewall:
If you ever need to see what rules are currently set, just run:
STEP 5 - Check for open ports
For some reason, I always seem to end up with services running that I have no idea how they ended up on my system. Maybe another package listed them as a dependency. Maybe it just came with the default install. Regardless, if a service is listening on a port, it leaves the door open for possible exploit.
We can see what ports currently have services listening on them by running a quick command:
sudo netstat -tulpn
Anything listening on 0.0.0.0:xxxx may be a problem. To fix, make sure your firewall is not allowing traffic to those ports through. Even better, uninstall the offending package by doing an
apt-get remove <package>
STEP 6 - Install Fail2Ban
Fail2Ban is a program that monitors the authentication logs of various programs. When too many attempts are detected, it blocks the source IP address. First, we'll need to install it:
sudo apt-get install fail2ban
To configure, open up the configuration file in a text editor, find the services you want to have it watch (for example, SSH), and then restart the service.
sudo nano /etc/fail2ban/jail.conf
[ssh] #service name enabled = true #set this to true to enable port = 5901 #change this to the port you set in step 3 filter = sshd logpath = /var/log/auth.log maxretry = 3 #set this to how many attempts are allowed
sudo service fail2ban restart
STEP 7 - Disable responding to pings
As lots of bots find your server by pinging, turning off pings is one way to help hide it (though this really only helps servers that you aren't driving the public to). To prevent ping responses:
sudo nano /etc/sysctl.conf
Insert the following into the file:
net.ipv4.icmp_echo_ignore_all = 1
Save the file and reload the service:
sudo sysctl -p
STEP 8 - Read your logs
This shouldn't come as any surprise but actually reading the logs can help give you a better idea of what threats you are facing. If you're getting a lot of invalid attempts coming in from IPs in a particular country, maybe download a geoip firewall tool to block a country. Things like that will help you adapt to threats as they come up.
If you've done the above steps, then you are off to a good start. Some of you will say "Chris, this is hardly enough and dangerous to run a server if this is all you do." Well you're right - these guidelines are really meant as a starting point. There are bunches of other things we can do, however a lot of the securing process is dependent on the server role and location (internal vs external facing). While this article may go a bit overboard, I would definitely recommend looking over some of the other things you can do to secure your server.
Got any other tips you think are mandatory? Let me know in the comments!