This article describes the steps one can take to setup a Ubuntu 12.04 server with some basic security. I wrote the article as I was setting up such a server on Digital Ocean. However, I believe that these steps are applicable even if you are not using Digital Ocean.
The article assumes that you have root access to a remote Ubuntu 12.04 server and know its IP address. For the sake of this post let us assume that the IP address of the server is 111.222.333.444
Step 1: SSH into the server as root user.
Type the following and hit enter
ssh root@111.222.333.444
You will be shown a RSA key fingerprint and asked whether you want to continue connecting. Choose yes and hit enter
. You will be prompted for your password. Enter the password and you will be logged into the server.
Step 2: Create a new user
Create a new user on this server. For security reasons it is best to access your server as a different user than the root user. Let us call the new user trialuser
. You create this user using the command
adduser trialuser
and answering the questions that follow that command.
Step 3: Add the new user to the sudo group
Add the newly created user to the sudo group so that the user will have sudo privilege. This is done using the command:
usermod -a -G sudo trialuser
Note that since we are still logged in as the root user, we don't need to add sudo
in front of the above commands.
Step 3: Logout from the root account and login as the trialuser
Logout of the root account and log back in as the trialuser using
ssh trialuser@111.222.333.444
Step 4: Install vim
We will need to make changes to various configuration files. For this I prefer to use the vim editor. If you don't want to use vim you can skip this step. Before installing vim run:
sudo apt-get update
sudo apt-get upgrade
After those two commands, run:
sudo apt-get install vim
Step 4: Disable root login and allow only trialuser
to login
The next step is to secure your server by disabling the root login.
Open /etc/ssh/sshd_config
using vim (sudo vim /etc/ssh/sshd_config
). Find line PermitRootLogin
and change from
PermitRootLogin yes
to
PermitRootLogin no
Also add the line
AllowUsers trialuser
at the bottom of sshd_config
file. This will ensure that only you, trialuser
, (remember to replace trialuser
with your username) can login into the server.
The changes you made above will not take effect until you reload ssh. To do so, enter the command:
sudo reload ssh
Step 5: Install fail2ban
fail2ban
is an awesome utility which (amongst other things) bans IP addresses with repeated failed login attempts. This helps against brute force attacks on your server. To install fail2ban run:
sudo apt-get install fail2ban
According to the fail2ban installation guide on Digital Ocean, to configure fail2ban we must copy /etc/fail2ban/jail.conf
to /etc/fail2ban/jail.local
and make any configuration changes to jail.local
file.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
You can make configuration changes to the /etc/fail2ban/jail.local
file such as changing bantime (time for which an IP address is banned). You can find more information in the fail2ban article on Digital Ocean.
Once you have made the changes in the /etc/fail2ban/jail.local file restart fail2ban
for those changes to take effect by running:
sudo /etc/init.d/fail2ban restart
If you have a static ip address, you can add it to the ignoreip
line in file /etc/fail2ban/jail.local
, so that fail2ban
does not accidentally lock you out. If you have more than one IP address, separate them by space.
A couple of hours after your server is online take a look at /var/log/fail2ban.log
to see pesky IP addresses that fail2ban has banned for attempting to break in into your server.
Step 6: Setup SSH keys
On your local computer, navigate to ~/.ssh
folder. In this folder see if there exist two files id_rsa
and id_rsa.pub
. If so, you already have a ssh key and don't need to generate a new one.
If you don't see those two files, then you need to generate an ssh key. You can do so using the command:
ssh-keygen -t rsa
Enter the command and follow the instructions. If you accepted the default location for saving the key, you will find files id_rsa
and id_rsa.pub
in your ~/.ssh
folder.
Once you have your ssh key, to use it with the server add the public key (id_rsa.pub
) to the ~/.ssh/authorized_keys
file on your server. As noted in the Digital Ocean article here you can use either of the following two commands to do this:
ssh-copy-id trialuser@111.222.333.444
or
cat ~/.ssh/id_rsa.pub | ssh user@123.45.56.78 "cat >> ~/.ssh/authorized_keys"
Your server is now setup with some basic security. You can certainly make it more secure. I will leave it to you to explore those options.