Hints for Securing Ubuntu on a VPS

Digital Ocean and Godaddy Pro are nice VPS providers. However, it’s important to update the security of any box you create ASAP. It took under 24 hours for one of my boxes to be hacked and turned into a DoS! Therefore, when you create your box, make sure to add a firewall immediately.

  1. Add an SSH key to the box so you can log into it without passwords. This can sometimes be a real pain in the ars, but it’s worth it. Remember, the server needs an “authorized_keys” file, and the client needs an agent, either Pageant or ‘eval $(ssh-agent)’.
  2. Turn off passwords for SSH. After adding a key–and making sure that it works–turn off password prompting. Note: if you mess this up and can’t login without password prompting, you are totally screwed!
    1. vi /etc/ssh/sshd_config, uncomment “PasswordAuthentication”, and change “PasswordAuthentication” from “yes” to “no”.
  3. Install UFW (the “Uncomplicated Firewall”). Set up which ports that are exposed. For now, allow SSH (port 22).
sudo apt-get install ufw
sudo ufw default deny incoming
sudo ufw allow ssh
# set up ssh before enabling ufw!
sudo ufw --force enable
sudo ufw status
  1. Install Fail2ban. Fail2ban keeps track of hackers trying to get into the machine, and sets up blocks accordingly.
    1. sudo apt-get update
    2. sudo apt-get install fail2ban
    3. Install any additional rules you want.
      1. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
      2. vi /etc/fail2ban/jail.local
        1. Add in rules, e.g., ‘^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$’.
      3. To test it with fail2ban-regex or egrep, you can just strip off the ^%(__prefix_line)s from the beginning. Add this line to the failregex variable in your /etc/fail2ban/filter.d/sshd.conf.
  2. Check logs periodically. Look for strange happenings.
    1. grep sshd.\*Failed /var/log/auth.log | less
    2. grep sshd.*Did /var/log/auth.log | less
  3. Do not expose Redis, Mongo DB, or other unsafe programs directly past the firewall:
    1. http://redis.io/topics/security
  4. Install nethogs to see what’s going on with the network.
    1. sudo apt-get install nethogs
    2. sudo nethogs eth0
    3. creating socket failed while establishing local IP – are you rootwget -c https://github.com/raboof/nethogs/archive/v0.8.1.tar.gz
    4. wget -c https://github.com/raboof/nethogs/archive/v0.8.1.tar.gz
    5. tar xf v0.8.1.tar.gz
    6. cd ./nethogs-0.8.1/
    7. sudo apt-get install libncurses5-dev libpcap-devsudo apt-get install make
    8. sudo apt-get install make
    9. sudo apt-get install build-essential g++
    10. make && sudo make install
    11. nethogs
  5. Run netstat occasionally to see what ports are open.
    1. netstat -tnp
    2. netstat -tulpn
  6. Amazon’s AWS has firewalls built in around the machine when you create a VPS. You don’t need to set up these programs, but it’s a good thing to do.

Resources

https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps

https://apps.ubuntu.com/cat/applications/fail2ban/

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04

https://dodwell.us/security/ufw-fail2ban-portscan/

http://antirez.com/news/96

 

Posted in Tip