SECURING YOUR LINUX SERVER DEPLOYED IN THE CLOUD OR
ENTERPRISE
Table of Contents
ADD A USER
Execute command below
adduser dmuthami
Add user to administrators group
usermod -a -G sudo
dmuthami
Logout
Login in using created user account from your desktop using
command below
Using SSH Key Pair Authentication
Execute command below to create a public and private key
as root or any other user in your desktop computer.
ssh-keygen
Upload public key to your server by executing command below
scp ~/.ssh/id_rsa.pub
dmuthami@176.58.114.103:
Make directory in the profile for the user created e.g
dmuthami for this case
mkdir
.ssh
Move public key
mv id_rsa.pub .ssh/authorized_keys
Grant user appropriate permissions to the ssh directory
chown -R dmuthami:dmuthami .ssh
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
Disabling SSH Password Authentication and
Root Login
Login as root and open the below file on terminal
vim
/etc/ssh/sshd_config
Scroll down
change sections as shown below;
PasswordAuthentication no
PermitRootLogin no
Save the
file by pressing: wq
Restart the
SSH service to load the new configuration by entering below command
service ssh restart
Creating a Firewall
Check your Linode's default firewall rules.
iptables
–L
Create a
file to hold your firewall rules.
vim /etc/iptables.firewall.rules
Place text
below and Save changes
*filter
#
Allow all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
#
Accept all established inbound connections
-A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
#
Allow all outbound traffic - you can modify this to only allow certain
traffic
-A OUTPUT -j ACCEPT
#
Allow HTTP and HTTPS connections from anywhere (the normal ports for
websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j
ACCEPT
#
Allow SSH connections
#
#
The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state
NEW --dport 22 -j ACCEPT
#
Allow ping
-A INPUT -p icmp -j ACCEPT
#
Log iptables denied calls
-A INPUT -m limit --limit 5/min
-j LOG --log-prefix "iptables denied: " --log-level 7
#
Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
Activate firewall
iptables-restore <
/etc/iptables.firewall.rules
Recheck firewalls table.
iptables -L
Ensure that the firewall rules are activated every time you
restart your server.
vim
/etc/network/if-pre-up.d/firewall
Copy and paste the following lines in to the file you just
created:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
Save the script & set the script's permissions by
entering the following command:
:wq
chmod +x
/etc/network/if-pre-up.d/firewall
Installing and Configuring Fail2Ban
Install Fail2Ban by entering ban below
apt-get install
fail2ban
Override the default Fail2Ban configuration by creating a
new jail.local file
vim
/etc/fail2ban/jail.local
No comments:
Post a Comment