wiki:Security

Here are the security measures that were followed while setting up the dev server -

Add user a/c and authorize their public keys

The root account should not be accessible to anyone. So the first thing you do is create one or more user a/c and authorize their public key.

$ adduser user
$ mkdir /home/user/.ssh
$ nano /home/user/.ssh/authorized_keys

Then paste the user's public key there and save.

Allow the users to use sudo

From terminal execute the command visudo. (You might have to install the sudo package if it says it can't find sudo). Then add the following new lines and save -

# User privilege specification
root    ALL=(ALL:ALL) ALL
user    ALL=(ALL) NOPASSWD: ALL

That NOPASSWD part would let the user use sudo without entering password.

Allow selected users to login via SSH

Add the following line at the end of /etc/ssh/sshd_config file -

AllowUsers user user1 user2

Disable login with password via SSH

You'll find these two lines in that same sshd_config file you edited earlier -

# Change to no to disable tunnelled clear text passwords
# PasswordAuthentication yes

Change them to this -

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Run SSH on a different port

Port 22 is the default port for SSH and hence more prone to attacks. So change the port of SSH to something else. Find this option in the same sshd_config file mentioned above -

# What ports, IPs and protocols we listen for
Port 1234

Install and setup fail2ban

Install fail2ban first -

$ sudo aptitude install fail2ban

Then create the file /etc/fail2ban/jail.local and add the following configuration -

[ssh]
enabled  = true
port     = 1234 # same port you configured SSH with earlier
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
bantime  = -1 # indefinite ban
destemail = mail-us-here@klp.org.in # email ID you want to be notified at about bans
action = %(action_mwl)s

Jails defined in /etc/fail2ban/jail.local will override the ones defined in /etc/fail2ban/jail.conf. The .conf file gets overwritten when fail2ban updates. Hence this.

If you need to unban an IP, execute this -

sudo fail2ban-client get ssh actionunban xx.xx.xx.xx

Block incoming connection to all ports except the ones we need

Install the package iptables-persistent. It'll let us persist iptables settings over reboot.

Then you can just edit the file at /etc/iptables/rules.v4 to modify IPv4 rules. They look like something like this -

# Generated by iptables-save v1.4.14 on Mon Nov 25 11:20:21 2013
*mangle
:PREROUTING ACCEPT [651:62571]
:INPUT ACCEPT [505:50172]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [290:45302]
:POSTROUTING ACCEPT [290:45302]
COMMIT
# Completed on Mon Nov 25 11:20:21 2013
# Generated by iptables-save v1.4.14 on Mon Nov 25 11:20:21 2013
*nat
:PREROUTING ACCEPT [149:12583]
:INPUT ACCEPT [1:64]
:OUTPUT ACCEPT [2:110]
:POSTROUTING ACCEPT [2:110]
COMMIT
# Completed on Mon Nov 25 11:20:21 2013
# Generated by iptables-save v1.4.14 on Mon Nov 25 11:20:21 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [118:19671]
:fail2ban-ssh - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -j DROP
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Mon Nov 25 11:20:21 2013

You might have to restart the service iptables-persistent after changing it.

Last modified 4 years ago Last modified on 11/28/13 21:45:08