When you start a clean Linode, it isn't secured in the following aspects:
- Allows root SSH login
- Uses password authentication on SSH
- Doesn't have a firewall
I collected some information to this article to address these three issues.
I assume you're using Ubuntu 14.04 LTS.
Edit /etc/ssh/sshd_config and set the following settings:
PasswordAuthentication no
PermitRootLogin no
Restart SSH service:
sudo service ssh restart
Now you can't log in with root, so you need to create another user:
sudo adduser myuser
To make myuser a sudoer, enter sudo visudo and add this line at the bottom:
myuser ALL=(ALL) NOPASSWD:ALL
The above line lets you sudo without a password. If you prefer having a password when sudoing, use this line instead:
myuser ALL=(ALL:ALL) ALL
Log in as myuser and generate an SSH key:
ssh-keygen
To allow you to log in using myuser with public key authentication, add your client public key into ~/.ssh/authorized_keys.
Make sure authorized_keys has the right permissions:
chmod 600 ~/.ssh/authorized_keys
Then you can try logging in to the Linode from your local computer:
ssh myuser@your-linode-ip-or-domain-name
By default, Linode accepts all incoming connections. It is better to set up some iptables rules to block unwanted connections.
Create /etc/network/if-pre-up.d/iptables with the following content:
#!/bin/sh
# Reset iptables rules
iptables -F
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Web
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow all traffic from localhost
iptables -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Drop all others
iptables -A INPUT -j DROP
This is a typical setup of a web server. Adjust if needed.
Make this file executable:
sudo chmod +x /etc/network/if-pre-up.d/iptables
Reboot your Linode to take effect.