After we installed ubuntu server on our machine we need to secure it in order to prevent hacker to access sensitive data on our server. Let’s presume the ip server is 192.168.1.1
First we need to login via ssh protocol in the machine from terminal (in Linux machines ) or via putty in Windows ( putty can be used from Linux as well ) , the default user we need to use to access the server is the admin user ( root )
default password ( if is a local machine than is the password we setup , if is a vps or physic server from a provider they has setup a default password for you )
Once we are logged in need to create a new user, in this way we will disable the root access via ssh, this for security reason, every hacker know the root user and the first attack they will try to launch is is from this user, so we need to disable it.
After this we need to answer some question including here also the password we need to use.
Now we created a new user and need to have root privileges
[code]gpasswd -a john sudo[/code]
What we did was to include the john user to sudo group allowing root privileges
Now we need to make some changes on ssh configuration.
Need to make some changes like the following
[code]PermitRootLogin no [/code]
Port 456789 (this port number is optional, we can choose any number we want if free port )
[code]service ssh restart[/code]
What we did so far was to change the ssh port and to disallow the root user to login via ssh.
So if a attack will happened via ssh the default port ( 22 ) will be closed and so the attack will not take place, even if the attacker find the correct port he need to find the username as well because the root user is disabled via ssh.
After restarted the ssh service please open a new terminal and try to login with the new credentials
[code]ssh -p 456789 firstname.lastname@example.org[/code]
We should be able to login into the server.
Also we can setup public key authentication increasing the server security.
First need to generate a key pair
Just hit enter during the process.
Now we need to install the key into our server, first we need to check our public key in our loca machine
Copy the result and login into the ubuntu server machine and pasting into the following file
After need to change the user permission so no one can modify the file, only the owner ( john ) can read.
The next step to secure the server is the firewall.
First we need to create some rules
Open 456789 ssh port in order to login
[code]sudo ufw allow 456789/tcp[/code]
Open the default http webserver port
[code]sudo ufw allow 80/tcp[/code]
Https if we need to enable ssl/tls
[code]sudo ufw allow 443/tcp[/code]
Smtp for sending email
[code]sudo ufw allow 25/tcp[/code]
Next we can enable the firewall with the following command
[code]sudo ufw enable[/code]
In this way we will allow only certain ports open, the rest will remain closed until we will need them.
What if our machine is attacked with brute force or via bad bots?
We need to implement another service called fail2ban or deny2host.
Fail2ban interact with the server firewall creating automatically firewall rules.
First we need to install it
[code]sudo apt-get update && sudo apt-get install fail2ban[/code]
Copy the conf file to another file
[code]sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local[/code]
Now we need to work on the .local file in order to secure our server.
[code]sudo nano /etc/fail2ban/jail.local[/code]
Please change the following lines
ignoreip = 127.0.0.1/8 (here we can add our public ip so fail2ban will whitelist us )
bantime = 600 (the time per seconds an ip is banned if security rules broken )[/code]
The next step is to enable for every specific service the fail2ban monitoring tool.
[code][nginx-http-auth] → ( nginx httpd authentication service)
enabled = true → ( enabled, this service is currently monitored from fail2ban)
filter = nginx-http-auth → ( fail2ban filters )
port = http,https → ( what port fail2ban should check , in this case are 80, 443 )
logpath = /var/log/nginx/error.log ( here fail2ban check the logs and if 1ip make a lot of unusual request fail2ban will create an ip rule in order to ban the ip for the amount of time we setup ) [/code]
In this way we can setup for every service we use fail2ban so can add firewall rules automatically.
So far we have build a secure ubuntu server, but we can do more in this area.
Another way to secure our server is from our web server, opening the web via 443 port ( https ) is more secure.
In order to do so we need to install first openssl.
[code]sudo apt-get install openssl[/code]
Generate key for the csr certificate
[code]openssl genrsa -des3 -out server.key 2048[/code]
Please check the displayed questions and answer in the correct way. Now we have the crt file and the key as well. According to the webserver we will use, apache or nginx we need to make the proper configuration for the certificate.
In this way the web connection with the server will be secured.
In order to secure every aspect of the server we should not use ftp protocol, this protocol will transmit data via internet in a non secure way, instead we can use vsftpd of ftp with tls connection securing our data transmition.
No metter how secure is the server we always should take a backup of the server + data somewhere else, so if something happens we will always have a backup.
Prevent IP Spoofing
[code]sudo vi /etc/host.conf
Add the following lines
[code]sudo vi /etc/php5/apache2/php.ini
add or edit the following lines
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off[/code]
Install a daemon in order to keep an eye on the server logs. For this purpose we will install logwatch package.
[code]apt-get install logwatch[/code]
We will add this line in order to receive reports daily mail
[code]/usr/sbin/logwatch –output mail –mailto email@example.com –detail high[/code]
Another tool for monitoring the server is Clamav for scanning the server from viruses.
[code]sudo apt-get install clamav clamav-daemon[/code]
Update the clamav virus databases
After finished we can take a look on our server by running this command
[code]clamscan -r –bell -i /[/code]
This will display only infected files. Also we can make a cron job for this purpose in order to check periodically the logs
[code]00 00 * * * clamscan -r /location_of_files_or_folder[/code]
In this way we will have a better view of our server security.
Some other tricks to secure the ubuntu server can be the following:
– Allow mysql connection only from our localhost ( our server )
– Permit only one user to login via ssh, disable the multi user access on the server
Also we can add some more configuration preventing bad routing and malformed ip.
[code]sudo nano /etc/sysctl.conf[/code]
IP Spoofing protection
[code]net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1[/code]
Ignore ICMP broadcast requests
[code]net.ipv4.icmp_echo_ignore_broadcasts = 1[/code]
Disable source packet routing
[code]net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0 [/code]
Ignore send redirects
[code]net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Block SYN attacks [/code]
[code]net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5[/code]
[code]net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1[/code]
Ignore ICMP redirects
[code]net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0[/code]
Ignore Directed pings
[code]net.ipv4.icmp_echo_ignore_all = 1[/code]
After we need to reload the syscti service
[code]sudo sysctl -p[/code]
We can install chkrootkit as well in order to check for rootkit
[code]sudo apt-get install rkhunter chkrootkit
In order to update the chkrootkit
[code]sudo rkhunter –update
sudo rkhunter –propupd
sudo rkhunter –check[/code]
Tiger can be another choice for monitoring and audit securing the system
[code]sudo apt-get install tiger
After we can check the tiger reports from this command
[code]sudo less /var/log/tiger/security.report.*[/code]