Skip to content

Instantly share code, notes, and snippets.

@lardawge

lardawge/server_security_setup.md

Last active December 16, 2015 08:39
Show Gist options
  • Save lardawge/5407360 to your computer and use it in GitHub Desktop.
Save lardawge/5407360 to your computer and use it in GitHub Desktop.
Download ZIP
Initial setup for Linux
Raw
server_security_setup.md

Server setup

Add

Adding initial software and deploy user

ssh root@<ip_address>
apt-get -y update
apt-get -y install curl git-core python-software-properties
apt-get -y install software-properties-common # ubuntu >= 12.10

# nginx
add-apt-repository ppa:nginx/stable
apt-get -y update
apt-get -y install nginx
service nginx start

# Node.js
add-apt-repository ppa:chris-lea/node.js
apt-get -y update
apt-get -y install nodejs

adduser deployer
# Add the user to the administer the system (admin) group
# if ubuntu > 12.04
usermod -a -G sudo deployer
# else
usermod -a -G admin deployer

logout
ssh deployer@<ip_address>

##Using SSH Key Pair Authentication

# if homebrew or ssh-copy-id is installed
ssh-copy-id deployer@<ip_address>

# else
scp ~/.ssh/id_rsa.pub deployer@<ip_address>:
ssh deployer@<ip_address>
mkdir .ssh
mv id_rsa.pub .ssh/authorized_keys
chown -R deployer:deployer .ssh
chmod 700 .ssh
chmod 600 .ssh/authorized_keys

##Disabling Root Login

sudo vi /etc/ssh/sshd_config
/PermitRootLogin no/
sudo service ssh restart

##Creating a Firewall

sudo vi /etc/iptables.firewall.rules #See File below
sudo iptables-restore < /etc/iptables.firewall.rules

File: /etc/iptables.firewall.rules

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Load firewall at startup

sudo vi /etc/network/if-pre-up.d/firewall #See File below
sudo chmod +x /etc/network/if-pre-up.d/firewall

File: /etc/network/if-pre-up.d/firewall

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Install fail2ban

sudo apt-get install fail2ban

Install rvm

curl https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash -s stable
source ~/.profile
rvm autolibs enable
rvm install X.X.X #ruby version
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment