Nov 29, 2009

10 steps to setup a new VPS (Ubuntu 9.10)

If you use a Virtual Private Server running Ubuntu, there are a number of security related things you want to do before you start deploying production code to it. Here are a list of things I do to every fresh slice. I've tried this on both Linode and Slicehost, but instructions might be different on your VPS depending on what software is installed by default and what repositories are active when your slice first boots.


1. Assuming you only have root access to start, first thing is to add yourself as a user.
adduser myusername


2. Next give yourself sudo privileges by running visudo and adding an entry below the one for root:
myusername   ALL=(ALL) ALL


3. Assuming you already have a public/private key set up, go ahead and upload your public key to the server. From your local machine type this:
scp ~/.ssh/id_rsa.pub myusername@123.456.678.9:/home/myusername/


4. Login to the remote server and move the .pub file into your local .ssh directory
mkdir /home/myusername/.ssh
mv /home/myusername/id_rsa.pub /home/myusername/.ssh/authorized_keys


5. Set the permissions correctly on the key:
chown -R myusername:myusername /home/myusername/.ssh
chmod 700 /home/myusername/.ssh
chmod 600 /home/myusername/.ssh/authorized_keys


6. Next, let's edit the /etc/ssh/sshd_config file and disable some defaults. Here are the adjustments you should make:
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers myusername


A couple of notes here. First, if you are a little more advanced, change the port from the default 22 to something else. Say 28000. Next, if you have more than one user, be sure you separate the usernames with a space rather than a comma.

7. Now let's restart ssh.
/etc/init.d/sshd restart


Open a new terminal window and login to your slice using your regular user account. Don't exit your old shell just yet until you're sure you can ssh in and access sudo without a problem. Done? Good, from here on out I'll assume you are a regular user. Let's proceed..

8. Get some required software. As a test, let's just install a couple of packages we'll want:
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install build-essential
sudo apt-get install git-core


9. Let's get a firewall going. We'll use IPTables here. First, create a test file on your server with the rules you'll need. Let's save it as /etc/iptables.test.rules. In your scenario if you've chosen a port other than 22 for ssh be sure to adjust it below otherwise you'll be very sad..
*filter


# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT


# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT


# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT


# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT


# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT


Once we've got the rules set, let's apply them to the server:
sudo iptables-restore < /etc/iptables.test.rules 
sudo iptables-save > /etc/iptables.up.rules


Edit your /etc/network/interfaces and add this line below the loopback and above the main Ethernet. This will make sure we bring up the firewall on every reboot.

pre-up iptables-restore < /etc/iptables.up.rules


10. Let's get your locale setup next:
sudo locale-gen en_US.UTF-8
sudo /usr/sbin/update-locale LANG=en_US.UTF-8


With that done you're ready to go installing new software whether it's a webserver, mail server, git repo, or something completely different. It's all yours for the taking from here on out. Special thanks to the folks at Slicehost for their great tutorials

2 comments:

  1. I follow the instructions step by step.

    There seems to be something im doing wrong... after all this i restart the server and then i am unable to log in to shell... It doesnt prompt me for my username... it just tells me the connection times out.

    ReplyDelete