Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[GUIDE] Basic steps to secure your Ubuntu / Debian server - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[GUIDE] Basic steps to secure your Ubuntu / Debian server

2»

Comments

  • MonsteRMonsteR Member
    edited January 2014

    My Script basically does this, And alot more to secure servers, But only centos based at the moment, Considering making it for Ubuntu/Debian.
    http://lowendtalk.com/discussion/20033/script-autosecure-for-cpanel-auto-harden-cpanel

  • @sleddog said:
    I always firewall the ssh port. Even if you have a dynamic IP, your ISP works within a limited range, so you can allow that range (or ranges, like me). You can setup a basic, static iptables firewall with a few config files without a full-fledged solution like CSF.

    I do the same on my home server (white list a few IP addresses or a range), but my VPS runs CSF with SSH open to everyone.

    One thing I would recommend is using the AllowUsers directive when configuring sshd. Stops logging in as root dead in it's tracks even if you have PermitRootLogin set to yes and root isn't set in AllowUsers.

  • Why no CSF ? CSF is one of the best firewalls I have ever used...

  • painfreepcpainfreepc Member
    edited January 2014

    @ATHK said:
    Why no CSF ? CSF is one of the best firewalls I have ever used...

    I use it, love the country blocking, directory watch and the connection tracking
    .

  • drserverdrserver Member, Host Rep

    I have selected deny hosts as this app can share random attack data. You will block automatically all known bonnets, etc.

    I have no preference in deny hosts or fail2ban

    Booth are doing job great.

    As for higher port it is enough move ssh to anything different than port 22.
    It will harden things up.

    Remember that this is only basic tutorial, and i am inviting everyone to extend it.

  • nfnnfn Veteran
    edited January 2014

    I use some additional measures:

    1st: Allow access only to your country (can be changed to geoip city)
    http://ts1-en.blogspot.com/2009/06/ssh-access-control-with-geoip.html

    2nd: Email when someone login through ssh : http://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful

    3rd:
    Email when the VPS start/reboot
    http://thepoch.com/tumblr/be-emailed-when-your-linux-server-starts-up-or-shuts.html

    Note: for debian you must change the headers to:

    #!/bin/bash
    
    ### BEGIN INIT INFO
    # Provides:          emailstartstop
    # Required-Start:    $syslog
    # Required-Stop:     $syslog
    # Default-Start:     2 3 4 5
    # Default-Stop:      0 1 6
    # Short-Description: emailstartstop init
    # Description:       Send an email on server startup and shutdown.
    #
    ### END INIT INFO
    
    Thanked by 2Mark_R howardsl2
  • TIL there's a $SSH_CONNECTION variable in bash.

  • https://library.linode.com/securing-your-server

    I just disable password login & enforce fail2ban most of the time

  • CharlesACharlesA Member
    edited January 2014

    @nfn said:
    I use some additional measures:

    1st: Allow access only to your country (can be changed to geoip city)
    http://ts1-en.blogspot.com/2009/06/ssh-access-control-with-geoip.html

    2nd: Email when someone login through ssh : http://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful

    CSF can do #1 and #2. You'd need to do #3 manually, or set up uptime monitoring if you want real metrics on the server.

  • nfnnfn Veteran
    edited January 2014

    @CharlesA said:
    CSF can do #1 and #2. You'd need to do #3 manually, or set up uptime monitoring if you want real metrics on the server.

    Not everyone uses CSF ...

    1, I think CSF block all ports. With host.deny/allow you can block by service.

    2, I think LFD is the one who send email. I don't use LFD.

  • nocomnocom Member
    edited January 2014

    100% ssh security

    /etc/init.d/dropbear stop

    howto start ssh

    reboot server

    also

    chmod 000 /usr/bin/cc
    chmod 000 /usr/bin/gcc

    Drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)

    IPT=/sbin/iptables

    Max connection in seconds

    SECONDS=100

    Max connections per IP

    BLOCKCOUNT=10

    ....

    ..

    default action can be DROP or REJECT

    DACTION="DROP"

    $IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set

    $IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds

    ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}

    ----------Lignttpd: Limit All Connections

    server.kbytes-per-second=1024

    ----------Set limit to 64 kbyte/s for each single connection per IP:

    connection.kbytes-per-second=64

  • @nocom said:
    100% ssh security

    chmod 000 /usr/bin/cc
    chmod 000 /usr/bin/gcc

    I can understand dropping traffic after a certain number of hits, but what purpose does it serve to remove all permissions from cc and gcc?

  • to disable compiler

  • @nocom said:
    to disable compiler

    For what? Why not to generate keys & allow only your country?

  • 0xdragon0xdragon Member
    edited January 2014

    @nocom said:
    to disable compiler

    AFAIK - If someone has access to a user, they can generally bring along their own packaged compiler and use the existing libraries on the system :)

    It's kinda pointless.

  • flyfly Member
    edited January 2014

    you need port knocking http://www.portknocking.org/

    and fail2ban

  • nocomnocom Member
    edited January 2014

    Agree It's kinda pointless.

  • darkshire said:

    Fail2ban is far more powerful and can be used for other listening services other then just ssh.

    Both suck in the sense they use python and therefore use more resources.

    Check out sshguard.

    Fail2ban uses like 3MB on my VPS. It's worth it.

    I imagine sshguard uses <1MB of RAM since it is coded in C. But it does not allow you to specify custom "attack signatures" i.e. custom regex patterns. You can do that with fail2ban.

    said:

    1) Update and upgrade apt and your packages

    apt-get update && apt-get upgrade

    By doing this regularly you will always have up to date packages and current fixes.

    Install apticron and unattended-upgrades. The former tells you when new updates are available and the latter does the upgrades automatically:

    apt-get install apticron unattended-upgrades

  • drserverdrserver Member, Host Rep

    Well, I will put all those together and make tutorial, how to build bulletproof unbreakable fortress of your LEB.

  • howardsl2howardsl2 Member
    edited January 2014

    Just want to add my $.02. I posted this in an older thread.

    I wrote a script to check that IPTables is running with the correct rules every 5 minutes. It has the following components:

    1 Somewhere in your IPTables rules, add this:
    -A INPUT -m comment --comment "CHECKME"
    OR
    -A INPUT -m recent --set --name CHECKME

    2 Create a script /root/check_iptables.sh

    #!/bin/bash
    /sbin/iptables -n -L | grep "CHECKME" > /dev/null
    if [ $? -eq 0 ]; then
      touch /var/run/ipt_timestamp
    fi
    

    3 Create a cron job /etc/cron.d/check_iptables

    */5 * * * * root /root/check_iptables.sh &>/dev/null
    

    4 Create a script /root/iptablesload.sh

    #!/bin/sh
    /sbin/iptables-restore < /etc/iptables.rules
    exit 0
    

    5 Install Monit (e.g. apt-get install monit, yum install monit), and modify its config file.
    Here's part of my /etc/monit/monitrc for your reference. This is for Ubuntu. More Monit examples are here:
    http://mmonit.com/wiki/Monit/ConfigurationExamples

      set daemon 120             # check services at 2-minute intervals
        with start delay 360     # optional: delay the first check by 6-minutes
    
      set logfile /var/log/monit.log
    
      set idfile /var/lib/monit/id
    
      set statefile /var/lib/monit/state
    
      # Be sure to configure your VPS to be able to send emails (127.0.0.1:25)
      # Or you can specify another mailserver. Please refer to: 
      # http://mmonit.com/monit/documentation/monit.html#setting_a_mail_server_for_alert_messages
    
      set mailserver localhost  
    
      set eventqueue
          basedir /var/lib/monit/events # set the base directory where events will be stored
          slots 1000                    # optionally limit the queue size
    
      set alert YOUR_EMAIL_ADDRESS_HERE but not on { action, instance, uid, pid, ppid }
    
      set httpd port 2812 and
          use address localhost     # only accept connection from localhost
          allow localhost           # allow localhost to connect to the server and
          allow admin:password      # require user 'admin' with password 'password'
    
      ... More rules here ...
    
      # This is the relevant rule!
      check file iptables-ts with path /var/run/ipt_timestamp
        if timestamp > 6 minutes then exec "/root/iptablesload.sh"
        if timestamp > 6 minutes for 2 cycles then alert
    

    And you are done.

    For more IPTables security tips, check out my tech blog article. You can ignore the Asterisk section.
    https://blog.ls20.com/securing-your-asterisk-voip-server-with-iptables/

  • NeoonNeoon Community Contributor, Veteran
    edited January 2014

    The best is, the ssh login message works also when a provider enters into your container that would like this:

    Sou you can tell them get the fuck out of my container <3

    Some hosts do this (i would go away if i would be you).


    BTW i used: http://www.crucialp.com/resources/tutorials/secure-server-securing/email-alert-root-ssh-login-e-mail.php with postfix and mailutils.

    Thanked by 1Mark_R
Sign In or Register to comment.