After we installed ubuntu server on our machine we need to secure it in order to prevent hacker to access sensitive data on our server. Let’s presume the ip server is 192.168.1.1
First we need to login via ssh protocol in the machine from terminal (in Linux machines ) or via putty in Windows ( putty can be used from Linux as well ) , the default user we need to use to access the server is the admin user ( root )ssh email@example.com
default password ( if is a local machine than is the password we setup , if is a vps or physic server from a provider they has setup a default password for you )
Once we are logged in need to create a new user, in this way we will disable the root access via ssh, this for security reason, every hacker know the root user and the first attack they will try to launch is is from this user, so we need to disable it.
After this we need to answer some question including here also the password we need to use.
Now we created a new user and need to have root privileges
gpasswd -a john sudo
What we did was to include the john user to sudo group allowing root privileges
Now we need to make some changes on ssh configuration.
Need to make some changes like the following
Port 456789 (this port number is optional, we can choose any number we want if free port )
service ssh restart
What we did so far was to change the ssh port and to disallow the root user to login via ssh.
So if a attack will happened via ssh the default port ( 22 ) will be closed and so the attack will not take place, even if the attacker find the correct port he need to find the username as well because the root user is disabled via ssh.
After restarted the ssh service please open a new terminal and try to login with the new credentials
ssh -p 456789 firstname.lastname@example.org
We should be able to login into the server.
Also we can setup public key authentication increasing the server security.
First need to generate a key pair
Just hit enter during the process.
Now we need to install the key into our server, first we need to check our public key in our loca machine
Copy the result and login into the ubuntu server machine and pasting into the following file
After need to change the user permission so no one can modify the file, only the owner ( john ) can read.
The next step to secure the server is the firewall.
First we need to create some rules
Open 456789 ssh port in order to login
sudo ufw allow 456789/tcp
Open the default http webserver port
sudo ufw allow 80/tcp
Https if we need to enable ssl/tls
sudo ufw allow 443/tcp
Smtp for sending email
sudo ufw allow 25/tcp
Next we can enable the firewall with the following command
sudo ufw enable
In this way we will allow only certain ports open, the rest will remain closed until we will need them.
What if our machine is attacked with brute force or via bad bots?
We need to implement another service called fail2ban or deny2host.
Fail2ban interact with the server firewall creating automatically firewall rules.
First we need to install it
sudo apt-get update && sudo apt-get install fail2ban
Copy the conf file to another file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we need to work on the .local file in order to secure our server.
sudo nano /etc/fail2ban/jail.local
Please change the following lines
ignoreip = 127.0.0.1/8 (here we can add our public ip so fail2ban will whitelist us )
bantime = 600 (the time per seconds an ip is banned if security rules broken )
The next step is to enable for every specific service the fail2ban monitoring tool.
[nginx-http-auth] → ( nginx httpd authentication service)
enabled = true → ( enabled, this service is currently monitored from fail2ban)
filter = nginx-http-auth → ( fail2ban filters )
port = http,https → ( what port fail2ban should check , in this case are 80, 443 )
logpath = /var/log/nginx/error.log ( here fail2ban check the logs and if 1ip make a lot of unusual request fail2ban will create an ip rule in order to ban the ip for the amount of time we setup )
In this way we can setup for every service we use fail2ban so can add firewall rules automatically.
So far we have build a secure ubuntu server, but we can do more in this area.
Another way to secure our server is from our web server, opening the web via 443 port ( https ) is more secure.
In order to do so we need to install first openssl.
sudo apt-get install openssl
Generate key for the csr certificate
openssl genrsa -des3 -out server.key 2048
Please check the displayed questions and answer in the correct way. Now we have the crt file and the key as well. According to the webserver we will use, apache or nginx we need to make the proper configuration for the certificate.
In this way the web connection with the server will be secured.
In order to secure every aspect of the server we should not use ftp protocol, this protocol will transmit data via internet in a non secure way, instead we can use vsftpd of ftp with tls connection securing our data transmition.
No metter how secure is the server we always should take a backup of the server + data somewhere else, so if something happens we will always have a backup.
Prevent IP Spoofing
sudo vi /etc/host.conf
Add the following lines
sudo vi /etc/php5/apache2/php.ini
add or edit the following lines
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
Install a daemon in order to keep an eye on the server logs. For this purpose we will install logwatch package.
apt-get install logwatch
We will add this line in order to receive reports daily mail
/usr/sbin/logwatch --output mail --mailto email@example.com --detail high
Another tool for monitoring the server is Clamav for scanning the server from viruses.
sudo apt-get install clamav clamav-daemon
Update the clamav virus databases
After finished we can take a look on our server by running this command
clamscan -r --bell -i /
This will display only infected files. Also we can make a cron job for this purpose in order to check periodically the logs
00 00 * * * clamscan -r /location_of_files_or_folder
In this way we will have a better view of our server security.
Some other tricks to secure the ubuntu server can be the following:
– Allow mysql connection only from our localhost ( our server )
– Permit only one user to login via ssh, disable the multi user access on the server
Also we can add some more configuration preventing bad routing and malformed ip.
sudo nano /etc/sysctl.conf
IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
After we need to reload the syscti service
sudo sysctl -p
We can install chkrootkit as well in order to check for rootkit
sudo apt-get install rkhunter chkrootkit
In order to update the chkrootkit
sudo rkhunter –update
sudo rkhunter --propupd
sudo rkhunter –check
Tiger can be another choice for monitoring and audit securing the system
sudo apt-get install tiger
After we can check the tiger reports from this command
sudo less /var/log/tiger/security.report.*