Skip to content

Instantly share code, notes, and snippets.

@mahmoudimus

mahmoudimus/secure-it.md

Created July 26, 2014 04:49
Show Gist options
  • Save mahmoudimus/cfa78a1ae4a1604bafe9 to your computer and use it in GitHub Desktop.
Save mahmoudimus/cfa78a1ae4a1604bafe9 to your computer and use it in GitHub Desktop.
Download ZIP
secure a server
Raw
secure-it.md

New Server Setup (Reasonably Secure Ubuntu Box)

Basic setup for a new box:

blocks password logins - need to use public key blocks bruteforcing w/ fail2ban ufw/iptables to allow only SSH/HTTP/HTTPS from public weekly auto security updates vi unattended-upgrades basic setup

root password - Generate and store in 1Password

passwd

Update

apt-get update

apt-get upgrade

apt-get dist-upgrade

Just in case

apt-get install fail2ban

Add User

adduser lhl

Install Authorized Keys

mkdir /home/lhl/.ssh

chmod 700 /home/lhl/.ssh

vi /home/lhl/.ssh/authorized_keys

chmod 600 /home/lhl/.ssh/authorized_keys

chown lhl:lhl /home/lhl -R

SSH Lock Down - no passwords

vi /etc/ssh/sshd_config

PermitRootLogin no

PasswordAuthentication no

Restart SSH - make sure you can connect before disconnecting current shell!

restart sshd

sudo

visudo

lhl ALL=(ALL:ALL) NOPASSWD: ALL

Skip for OpenVZ VPS or use custom iptables script

http://blog.bodhizazen.net/linux/how-to-use-ufw-in-openvz-templates/

apt-get install ufw

SSH

ufw allow 22

ufw allow 53

If you need any special ports from other servers

ufw allow from 255.255.255.255 to any port 11211

ufw allow out http

ufw allow out 53

ufw logging off

ufw enable

Auto-updates

apt-get install unattended-upgrades

echo ’APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "7";

APT::Periodic::Unattended-Upgrade "1";’ > /etc/apt/apt.conf.d/10periodic

should already be enabled

echo ’Unattended-Upgrade::Allowed-Origins {

"Ubuntu precise-security";

};’ > /etc/apt/apt.conf.d/50unattended-upgrades

Update Locale if necessary

locale

locale-gen en_US.UTF-8

update-locale LANG="en_US.UTF-8"

locale

http://askubuntu.com/questions/33025/locale-settings-are-not-right-how-can-i-reset-them/174264#174264

System tools

apt-get install git

apt-get install etckeeper

etckeeper init

apt-get install logwatch

echo ’/usr/sbin/logwatch --output mail --mailto [email protected] --detail high’ > /etc/cron.daily/00logwatch

apt-get install htop

apt-get install nload

apt-get install vnstat

Useful Software

apt-get install software-properties-common

apt-add-repository ppa:mizuno-as/silversearcher-ag

apt-get update

apt-get install silversearcher-ag

add-apt-repository ppa:zanchey/fishfish-snapshot

apt-get update

apt-get install fishfish

iptables

custom iptables script...

#!/bin/bash

Clean out current iptables rules

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -F

INCOMING

SSH

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Memcache

iptables -A INPUT -s 255.255.255.255 -p tcp --dport 11211 -m state --state NEW -j ACCEPT

MySQL

iptables -A INPUT -i lo -p tcp --dport 3306 -j ACCEPT

iptables -A INPUT -s 255.255.255.255 -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Localhost Outgoing

iptables -A OUTPUT -o lo -j ACCEPT

DNS Outgoing (needed to access websites)

iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

HTTP Outgoing (needed to access websites)

iptables -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

iptables -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

SSH Outgoing

iptables -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

Let all related connections in

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Let all related connections out

iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Set Default Policy

iptables -P INPUT DROP

iptables -P OUTPUT DROP

see also

first 5 minutes on a server: http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers https://news.ycombinator.com/item?id=5316093

python+fabric+boto VPN w/ EC2 script: https://gist.github.com/jefftriplett/2591019

setup shell script: http://pastie.org/pastes/6376503/text

Securing Ubuntu http://joshrendek.com/2013/01/securing-ubuntu/

hackpad: https://randomfoo.hackpad.com/New-Server-Setup-Reasonably-Secure-Ubuntu-Box-0sYhnscKj8x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment