Ubuntu/Setup Server
From r00tedvw.com wiki
Contents |
Overview
Quick checklist of things to install while setting up a new LAMP server
Security
Local
- Create new account
~$ adduser newuser Adding user `newuser' ... Adding new group `newuser' (1000) ... Adding new user `newuser' (1000) with group `newuser' ... Creating home directory `/home/newuser' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for newuser Enter the new value, or press ENTER for the default Full Name []: newuser Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y
- Add new user to sudoer group
~$ visudo # User privilege specification root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL
SSH
- start SSH listening on non-standard port
~$ sudo vi /etc/ssh/sshd_config ... # What ports, IPs and protocols we listen for Port 22 Port 2222 ...
- remove root from remote login
~$ sudo vi /etc/ssh/sshd_config ... PermitRootLogin no ...
- install fail2ban
~$ sudo apt-get update && sudo apt-get install fail2ban -y
- set ban time to 24 hours & make sure ssh blocking is enabled
~$ sudo vi /etc/fail2ban/jail.conf ... bantime = 86400 ... [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log ...
iptables
- add loopback and related/established
~$ sudo iptables -A INPUT -i lo -j ACCEPT ~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- add permitted IP address(es)
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"
- add port 2222 open to the world since we'll be blocking 22 by omission. Also add 80 and 443 so people can get to the site.
~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT ~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT ~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
- prevent packets from fowarding (like a router) and specify INPUT policy default
~$ sudo iptables -P FORWARD DROP ~$ sudo iptables -P INPUT DROP
- make sure iptables looks like you want
$ sudo iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1775 140K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1308 99200 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 8.8.8.8 0.0.0.0/0 tcp dpt:22 /* SSH Access */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
0 0 ACCEPT tcp -- * * 9.9.9.9 0.0.0.0/0 tcp dpt:22 /* SSH home */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 31 packets, 2792 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
1752 138K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
- save iptables config and add to rc.local for restoration on reboot
~$ sudo sh -c "iptables-save > /etc/iptables.rules" ~$ sudo vi /etc/rc.local ... iptables-restore < /etc/iptables.rules exit 0
Update OS, libraries, and installed packages
~$ sudo apt-get update && sudo apt-get upgrade -y
Install Apache2
~$ sudo apt-get install apache2
