Secure Configuration for Ubuntu 14.04 LTS

Need a nice Linux server to experiment and hack away? The nice fellows at Digital Ocean have made this straightforward and very cheap. The smallest droplet is only 5 USD/month, and if you use this link to sign up, you get 10 USD credit!

Here is my short guide to set-up a bare bones droplet in a secure way. It can be done in less than 10 minutes, even when drinking one or more beers at the same time!

Create the droplet

Sign on to Digital Ocean and do the following to create your droplet.

  1. Choose 5 USD or more if you have cash to burn.
  2. Choose your location. This should be close to you, or close to the users of the site.
  3. Choose enable back-ups or save some money if this is just a test system.
  4. Choose Ubuntu 14.04 LTS x64 distribution. Many more distributions are available if you need them.
  5. No need for SSH keys. This will give you headaches when you need to sign on from different machines.
  6. Click Create Droplet.

As a result the root password is sent in the clear by email. This must be changed at first sign-on.

The resulting IP address will be shown in the DigitalOcean interface, as well as in the email received. Make note of it. (example: 128.199.117.115)

Sign on using SSH

On Windows, use putty using the given root password and IP address. You will be forced to change the password, choose a very long one.

Update the droplet

As root, execute the following steps to update the system to the latest secure version:

apt-get update
apt-get upgrade
apt-get autoremove

Make the droplet auto-update

dpkg-reconfigure --priority=low unattended-upgrades

Note: the above will not automatically reboot the server, which is fine for my purposes.

Keep the correct time

Set the time-zone (e.g. Asia/Singapore):

dpkg-reconfigure tzdata

Automatically synchronize the time with standard time-servers as follows:

apt-get install ntp

Provide swap space

Although not recommended by DigitalOcean, add a swapfile of 1 GB (you will have 20 GB disk space available). This will give you the necessary space to compile some stuff:

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

Make the swapfile permanent by editing the /etc/fstab file:

nano /etc/fstab

Enter as last line:

 /swapfile   none    swap    sw    0   0

Press CTRL-O to write the file and CTRL-X to exit.

For performance reasons, it is better not to swap early, but as a last resort. Enter the following commands to make that possible:

sysctl vm.swappiness=10

Make that setting permanent by editing the /etc/sysctl.conf file.

nano /etc/sysctl.conf

At the bottom add:

vm.swappiness=10

Again press CTRL-O to write the file and CTRL-X to exit.

Harden the droplet

In order to make it more difficult to attack your server, the following will be done:

  • move the SSH port (22) to another port (e.g 6666). This will not block a targeted attack, but will keep out a lot of malicious systems that try to brute-force the password on the standard SSH port (22).
  • block attempts to brute-force the password after 5 failures with fail2ban
  • add a regular non-root user
  • disable SSH login as root

Move the SSH port to port 6666

Execute the following as root:

nano /etc/ssh/sshd_config

Modify the config to read:

Port 6666

Save and exit. Restart the SSHD daemon with:

service ssh restart

Sign on again as root, but now use port 6666 in your SSH client software.

Block brute-force attemps

We use fail2ban to make brute-forcing harder:

apt-get -y install fail2ban

This is all, the default config takes care of everything.

Configure iptables

We only need the ports 80 (HTTP), 443 (HTTPS) and 6666 (SSH) open to the internet. You can remove the lines with "80" and "443" if you do not plan to have a web server running.

This is done by modifying the iptables configuration.

First we will make certain that all local traffic is accepted.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT

Then allow all existing connections:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow the needed ports:

iptables -A INPUT -p tcp --dport 6666 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -j DROP

Make those rules persistent using the package iptables-persistent.

apt-get install iptables-persistent
service iptables-persistent start
/etc/init.d/iptables-persistent save

Create the non-root user

Use the following commands to create a user with the name fakeuser:

adduser --shell /bin/bash fakeuser   

Give the user SUDO (root) powers as follows:

adduser fakeuser sudo

Make certain to log-out and verify that it is possible to sign-on with the freshly created user. Sign off again, and sign on as root.

Disable (SSH) login for root

As root, execute the following:

nano /etc/ssh/sshd_config

Modify the config to read:

PermitRootLogin no 

Save and exit. Restart the SSHD daemon with:

service ssh restart

Sign off, and try to sign on as root. This should fail. Sign on with your newly created user (e.g "fakeuser").

Relax

After this, reboot the server and grab another cold beer:

sudo reboot

After the beer

Congrats! You can hack away at your server and install whatever you want.

Some notes

If security updates need a reboot, you will see a warning at sign-on. Immediately reboot when you see that message.

 sudo reboot

Make it a habit to perform the following at every sign-on, just in case there were problems with the automatic updates:

  sudo apt-get update
  sudo apt-get upgrade
  sudo apt-get autoremove

Herman Stevens

Just some guy on the internet. Loves technology, diving, travelling, photography and Belgian Trappist beers.