Skip to content

Instantly share code, notes, and snippets.

@Madh93

Madh93/Server_Setup_Ubuntu_14_04.md

Last active February 19, 2017 17:33
Show Gist options
  • Save Madh93/e20c8165fcb903c82bac5028e32b53bf to your computer and use it in GitHub Desktop.
Save Madh93/e20c8165fcb903c82bac5028e32b53bf to your computer and use it in GitHub Desktop.
Download ZIP
Server Setup with Ubuntu 14.04
Raw
Server_Setup_Ubuntu_14_04.md

Server Setup with Ubuntu 14.04

Table of Contents

  1. Initial steps
  1. Set up a Firewall using Iptables
  1. Extra: Iptables scripts
  1. Protecting SSH with Fail2Ban

Initial steps

Create a new user

adduser foo

Add root privileges

gpasswd -a foo sudo

Install OpenSSH Server

apt install openssh-server

Enable daemon:

update-rc.d ssh defaults
service ssh start

For other versions via systemctl:

systemctl enable ssh
systemctl start ssh

Add Public Key Authentication

If you have your own generated keys, you only need to upload to server. From your host:

ssh-copy-id -i KEY_NAME foo@SERVER_IP_ADDRESS

To checkout copied keys:

cat ~/.ssh/authorized-keys

Configure SSH

Edit /etc/ssh/sshd_config.

Change listen port:

Port PORT_NUMBER

Disable root login:

PermitRootLogin no

Disable password authentication:

PasswordAuthentication no

Reduce available login time:

LoginGraceTime 30

Limit opened sessions are waiting:

ClientAliveInterval 120
ClientAliveCountMax 2

Limit sessions by user:

MaxStartUps 3

Disable forwarding:

AllowTcpForwarding no
X11Forwarding no

Log more information (/var/log/auth.log):

LogLevel VERBOSE

Finally restart daemon:

service ssh restart

For other versions via systemctl:

systemctl restart ssh

Set up a Firewall using Iptables

First rule from SSH connection

Rule that explicitly accepts your current SSH connection:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Accept SSH connections

iptables -A INPUT -p tcp --dport YOUR_SSH_PORT -j ACCEPT

Allow loopback traffic

iptables -I INPUT 1 -i lo -j ACCEPT

Deny to the rest

iptables -P INPUT DROP

Extra: Iptables scripts

clean_fw.sh

#! /bin/Bash

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -Z

set_up_fw.sh

#! /bin/Bash

# Custom configuration
ssh_port=22

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport $ssh_port -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -P INPUT DROP

Protecting SSH with Fail2Ban

Install Fail2Ban

apt install fail2ban

Optional to email notifications:

apt install sendmail

To fix slow boot by sendmail, edit /etc/hosts:

127.0.0.1 localhost.localdomain localhost YOUR_HOSTNAME

(To know your hostname try: hostname)

Stop daemon

service fail2ban stop

For other versions via systemctl:

systemctl stop fail2ban

Create a custom jail

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Configure custom jail

Edit /etc/fail2ban/jail.local.

Ban time in seconds:

[DEFAULT]
...
bantime = 3600
...

Email address to collect alerts:

[DEFAULT]
...
destemail = [email protected]
...

Band and send email with report:

[DEFAULT]
...
action = %(action_mwl)s
...

Change SSH port:

[ssh]
...
port = YOUR_SSH_PORT
...

Limit retries:

[ssh]
...
maxretry = 3
...

Add ssh-ddos too:

[ssh-ddos]
...
enabled = true
port = YOUR_SSH_PORT
maxretry = 3
...

Finally restart daemon:

service fail2ban restart

For other versions via systemctl:

systemctl restart fail2ban

To see results:

iptables -S
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment