Ubuntu/Setup Server
From r00tedvw.com wiki
(Difference between revisions)
(→Security) |
(→iptables) |
||
Line 67: | Line 67: | ||
*add permitted IP address(es) | *add permitted IP address(es) | ||
<nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"</nowiki> | <nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"</nowiki> | ||
− | *add port 2222 open to the world | + | *add port 2222 open to the world since we'll be blocking 22 by omission. |
<nowiki>~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT</nowiki> | <nowiki>~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT</nowiki> | ||
*prevent packets from fowarding (like a router) and specify INPUT policy default | *prevent packets from fowarding (like a router) and specify INPUT policy default | ||
<nowiki> ~$ sudo iptables -P FORWARD DROP | <nowiki> ~$ sudo iptables -P FORWARD DROP | ||
~$ sudo iptables -P INPUT DROP</nowiki> | ~$ sudo iptables -P INPUT DROP</nowiki> |
Revision as of 01:32, 15 August 2015
Contents |
Overview
Quick checklist of things to install while setting up a new LAMP server
Security
Local
- Create new account
~$ adduser newuser Adding user `newuser' ... Adding new group `newuser' (1000) ... Adding new user `newuser' (1000) with group `newuser' ... Creating home directory `/home/newuser' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for newuser Enter the new value, or press ENTER for the default Full Name []: newuser Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y
- Add new user to sudoer group
~$ visudo # User privilege specification root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL
SSH
- start SSH listening on non-standard port
~$ sudo vi /etc/ssh/sshd_config ... # What ports, IPs and protocols we listen for Port 22 Port 2222 ...
- remove root from remote login
~$ sudo vi /etc/ssh/sshd_config ... PermitRootLogin no ...
- install fail2ban
~$ sudo apt-get update && sudo apt-get install fail2ban -y
- set ban time to 24 hours & make sure ssh blocking is enabled
~$ sudo vi /etc/fail2ban/jail.conf ... bantime = 86400 ... [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log ...
iptables
- add loopback and related/established
~$ sudo iptables -A INPUT -i lo -j ACCEPT ~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- add permitted IP address(es)
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"
- add port 2222 open to the world since we'll be blocking 22 by omission.
~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT
- prevent packets from fowarding (like a router) and specify INPUT policy default
~$ sudo iptables -P FORWARD DROP ~$ sudo iptables -P INPUT DROP