How to Secure a Ubuntu Server

Please download to get full document.

View again

of 3
8 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
Recently I purchased a virtual ubuntu server on rackspace. However I have to manage it myself, and this includes first of all taking care for its security. Securing it is very important and is the first thing to be done, since all the rackspace
Document Share
Document Tags
Document Transcript
  How to Secure a Ubuntu Server Recently I purchased a virtual ubuntu server on rackspace. However I have to manage it myself,and this includes first of all taking care for its security. Securing it is very important and is thefirst thing to be done, since all the rackspace servers have public IP-s and so are open to all the possible attacks from the Internet. Here I will describe some of the steps that can be done tosecure the server.Initially you can login as user root , through ssh : ssh root@123.45.67.890 Then you can change the password of the root   (from the default one, assigned by rackspace ),with the command passwd .It is a common practice in Linux (and specially in ubuntu) to lock down the root  account and touse another account for administrative tasks. Let's see how we can create it.First create another user account: adduser administrator Then assign the administrative  user sudo  priviledges (by adding it to the thegroup  sudo ): adduser administrator sudo One effective way of securing SSH access to your Cloud Server is to use a public/private key.This means that a public key is placed on the server and the private key is on your localworkstation. This makes it impossible for someone to log in using just a password - they musthave the private key. This consists of 3 basic steps: create the key on your local workstation,copy the public key to the Cloud Server, and set the correct permissions for the key.1. Create the public and private keys on you personal (local) computer: mkdir ~/.sshssh-keygen -t rsacd ~/.ssh/mv id_rsa rackspace_rsa If you do not want a passphrase then just press enter when prompted.The id_rsa  and id_rsa.pub  are created in the .ssh  directory. The id_rsa.pub  file holdsthe public key. You'll place this file on you server. The id_rsa  file is your private key. Never show, give away, or keep this file on a public computer. We rename itto rackspace_rsa  to make it obvious that this is the private key that is used to access therackspace server. 1. Login to the Server 2. Add an Admin User 3. Set Up Public and Private Keys  2. Copy the public key to the remote server: scp ~/.ssh/id_rsa.pub administrator@123.45.67.890:/home/administrat 3. Modify ssh permissions (on the remote server): ssh administrator@123.45.67.890mkdir /home/administrator/.sshmv /home/administrator/id_rsa.pub /home/administrator/.ssh/authorizchown -R administrator: /home/administrator/.sshchmod 700 /home/administrator/.sshchmod 600 /home/administrator/.ssh/authorized_keys Keeping the SSH service on the default port of 22 makes it an easy target. It is recommended tochange the default SSH configuration to make it more secure. There are also some other configuration options that are used to lock down the ssh access to the server.Modify the file /etc/ssh/sshd_config  by adding or editing these lines: Port 1234 # change ssh port to 1234Protocol 2PermitRootLogin no # user root is not allowed to log inPasswordAuthentication no # disable password login, only the private ke UseDNS noAllowUsers administrator # only user administrator is allowed to log i  Not all of these options are required, they overlap each-other, and you can choose which ones touse depending on your case and your security/flexibility requirements.We need to restart the sshd  service in order to enable these changes: service ssh restart After applying the changes, login from a second terminal (without logging out from the firstone), in order to make sure that you can still login and you didn't lock yourself out of the server. Now you can login like this: ssh -i ~/.ssh/rackspace_rsa -p 1234 administrator@123.45.67.890 So, we use the key ~/.ssh/rackspace_rsa  for authentication, access the ssh server on the port 1234 , and login as user administrator .By the way, in case that we need to copy something through scp , we can use a command likethis: scp -i ~/.ssh/rackspace_rsa -P 1234 source_file administrator@123.45.67. 4. Modify the SSH Configuration5. Setup a Firewall  For simple firewalls, ufw  is a great tool for building them easily. Let's say that we would like toallow only the ports 80 , 443 , and 1234  (don't forget to allow the ssh  port, otherwise you canlock yourself out!). We can build the firewall like this: ssh -i ~/.ssh/rackspace_rsa -p 1234 administrator@123.45.67.890ufw allow 1234ufw allow 80ufw allow 443ufw enable If you are familiar with iptables , then you may want to check out the iptables' rulesthat ufw  has built, by using iptables-save .http://www.rackspace.com/knowledge\_center/article/configuring-basic-security-0http://www.linode.com/wiki/index.php/Configuring\_IPtables\_on\_ubuntu\_server  6. Referencies:
Similar documents
View more...
Search Related
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks