Ubuntu/Setup Server

Revision as of 01:29, 15 August 2015

Overview

Quick checklist of things to install while setting up a new LAMP server

Security

Local

• Create new account

~$ adduser newuser
Adding user `newuser' ...
Adding new group `newuser' (1000) ...
Adding new user `newuser' (1000) with group `newuser' ...
Creating home directory `/home/newuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for newuser
Enter the new value, or press ENTER for the default
	Full Name []: newuser
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y

• Add new user to sudoer group

~$ visudo
# User privilege specification
root    ALL=(ALL:ALL) ALL
newuser   ALL=(ALL:ALL) ALL

SSH

• start SSH listening on non-standard port

~$ sudo vi /etc/ssh/sshd_config 
...
# What ports, IPs and protocols we listen for
Port 22
Port 2222
...

• remove root from remote login

~$ sudo vi /etc/ssh/sshd_config 
...
PermitRootLogin no
...

• install fail2ban

~$ sudo apt-get update && sudo apt-get install fail2ban -y 

• set ban time to 24 hours & make sure ssh blocking is enabled

~$ sudo vi /etc/fail2ban/jail.conf
...
bantime  = 86400
...
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
...

iptables

• add loopback and related/established

~$ sudo iptables -A INPUT -i lo -j ACCEPT
~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

• add permitted IP address(es)

~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"

• add port 2222 open to the world

~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT

• prevent packets from fowarding (like a router) and specify INPUT policy default

 ~$ sudo iptables -P FORWARD DROP
~$ sudo iptables -P INPUT DROP