With new server companies like digital ocean and linode spawning your own VPS has never been that easy (and dirt cheap). We're going to explore setting up your own server. Let's start by setting up a fresh server and getting the IP, root user and password.
Let's start with a Ubuntu 12.04 LTS
.
LTS stands for "Long Term Support" and guarantees us 5 years of updates (read more about the Ubuntu core team release cycles here)
We're going to explore 3 topics:
SSH allows you to connect to your server using an IP, username and password. We're going to disable logging in with a password and instead rely on a ssh key
to login. This allows us to be more secure and decreases the chance of a succesfull rainbow attack Let's start by making a private/public ssh keypair
.
Open your favorite terminal app (we use iTerm2)
We're going to create a local key pair with this command:
ssh-keygen -t rsa -C "youremail@weworkweplay.com"
It will prompt you for Enter file in which to save the key
you can enter:
~/.ssh/weworkweplay_rsa
Then it will prompt for Enter passphrase
so we just enter a password like:
weworkwepassword
Enter your password again and we're all set, now get the IP of your new server and login using this command: (where 111.222.333
is the IP of your server)
ssh root@111.222.333
Let's first update and upgrade our new ubuntu with these commands:
apt-get update
apt-get upgrade
And now we're opening the authorized_keys file and adding our previously generated key:
sudo nano ~/.ssh/authorized_keys
Open your previously local generated rsa key on your computer and copy the content. Paste it in your console and control+x and "Y" your way out.
Now we just need to disable password based logins for ssh. Open your ssh config file:
sudo nano /etc/ssh/sshd_config
Set the following values to "No"
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
Control+X and 'Y' to save the settings. Next we reload our SSH with this command:
sudo /etc/init.d/ssh reload
When you exit
and try to reconnect you won't need to type your password again; the server connects using your local ssh-key and knows it's you!
As an extra layer of security you can change your SSH port to a different one so random flood attacks on IP ranges have less chance of hitting you. Open the SSH config file:
sudo nano /etc/ssh/sshd_config
and adjust the port setting:
Port 9182
reload the settings:
sudo /etc/init.d/ssh reload
When you exit the SSH session you have to specify the port when you want to login again using the -p flag at the end of your command:
ssh root@123.456.78.90 -p 9182
UFW stands for "The Uncomplicated Firewall" and basicly acts like a simplicity layer on top of your IPtables firewall. Using a set of simple commands you can construct a firewall that keeps you safe for most attacks.
Warning! Watch out with firewall rules that deny all access because you'll get shut out yourself (ssh blocked => bricked server)
Let's start by installing UFW and allowing our SSH connection so we don't get locked out.
sudo apt-get install ufw
sudo ufw allow ssh/tcp
sudo ufw loggin on
sudo ufw enable
sudo ufw status
The last command will give you something like this:
Firewall loaded
To Action From
-- ------ ----
22:tcp ALLOW Anywhere
We're now firewalled with the exception of our port 22. You can easly add more ports or apps by using this syntax:
sudo ufw allow [APP]
sudo ufw allow [PORT]
To enter more specific rules, for example allow samba access to all local IP's in the 192.168.0.x range you simply enter:
ufw allow from 192.168.0.0/24 to any app Samba
To enable http, https and ftp support:
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 21/tcp
Email SMTP and IMAP
ufw allow 993/tcp
ufw allow 587/tcp
Fail2Ban automatically scans trough your log files and filters offending and suspicious activity. It then sets up a slowing algorithm that enforces increasing timeouts and eventually adds an attackers IP to your firewall blocklist. Install fail2ban using apt:
sudo apt-get install fail2ban
Copy the default settings to a .local file and start editing from that.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
The top sections covers the basics. Each section provides you with more options. We want to change the ignoreip
and Destemail
with our own IP address or a safe IP so we don't get locked out from our server and a emailaddress so we can monitor what's going on.
The [ACTION] section defines how bad actions should be handled, the defaults (iptables) are fine here.
Note that fail2ban doesn't writes it's exceptions to the UFW rulesset. Checking the rules of fail2ban can be achived with this command:
service fail2ban status
Finally restart our fail2ban
sudo service fail2ban restart