Servers 101: Basic Server Security Part 2
Image courtesy of wizblog.it
In the previous post of this series, we learned how to add a standard user, loosely explained the differences between a standard user and an administrator, learned about su and sudo, disabled root user logins on SSH and finally we changed the SSH port.
In this post, we will add a simple firewall, we will install fail2ban and configure them. It will take some time for all these, so let's carry on:
Firewalls!
There are many software firewall solutions available. The most easy to deal with is ufw (which literally stands for Uncomplicated Firewall), and that's what we will use. Alternatives are: IPTables (most software firewalls use IPTables as their backend, in fact ufw does so as well, but it is complicated for newbies), NFTables (which promises to be a little less complicated than NFTables, and it probably is already installed on your machine)
Why ufw? It's the most simple, and does the job great for a beginner. Let's install it first:
sudo apt-get install ufw
As always, you will be asked for your password to install it. A couple of seconds later, you will be ready. The first thing to do, is to check if ufw is running. Run this command:
sudo ufw status
As we have just installed ufw, the reply is probably this:
Status: inactive
Configuring UFW for IPv6 (optional)
If your server is IPv6 enabled, then we will have to enable it on ufw. If you don't have IPv6, skip to the next section.
We will edit the config file of ufw:
sudo nano /etc/default/ufw
Locate the line starting with IPv6. In latest versions of Debian, it is configured as "yes" by default, but it's better to double-check it, than assume that it's enabled.
If the line reads "IPv6=no", change to "IPv6=yes". Control+X to close, Y to confirm, and enter to save and exit.
Starting UFW
Starting and stoping UFW is very simple. Just type
sudo ufw enable
to start the firewall, or
sudo ufw disable
to stop the firewall. Stopping the firewall is effectively removing the rules from IPTables, and starting it is adding the rules to IPTables.
Right now, we have no rules though, all incoming and outgoing connections are allowed.
Our first, second and third UFW rules
The first rule would be to deny all incoming connections. We don't want anyone fiddling around our system. For those of you who ask about SSH, we will add a rule later to allow connections to the SSH port.
sudo ufw default deny incoming
Now we are at a crossroads. Do you want to allow outgoing connections? You probably do, so run this:
sudo ufw default allow outgoing
Otherwise, you can deny all outgoing connections as well:
sudo ufw default deny outgoing
This will make the server a lot more restricted, and you won't be able to do anything that requires internet access.
Last, but not least, we will allow connections to the SSH port. Most tutorials, simply use the "SSH" name instead of the port, but if you have changed the port, you will be locked out of yourserver.
The correct rule is: ufw allow portnumber/tcp
So if for example, you changed the SSH port to 19822, the rule is:
sudo ufw allow 19822/tcp
And now that we have created our base firewall rules, we enable the firewall as I told you above: sudo ufw enable
MOAR rules. Not really, just some more UFW info
No, I won't write more rules for you, as you only know what you services you want running on your server.
If, for example, you change the SSH port from 19822 to 39582, you will have to delete the old SSH port rule, and create a new one. It's just 2 commands:
sudo ufw delete allow 19822/tcp
sudo ufw allow 39582/tcp
Also, if the service you want to whitelist is using UDP protocol instead of TCP, change /tcp to /udp.
If you want to review the status of ufw and what rules you have configured, you simply run sudo ufw status
Made a mistake? sudo ufw reset will remove ALL the rules. If you block yourself though, the only way to gain access would be the console of your provider, but this is provided only for VPSes. If it is a dedicated server you'll have to ask your provider to give you a serial console, if it's available or KVM access which most providers charge, so be careful.
fail2ban: detecting and blocking SSH logins
If someone wants to enter your server, the first point of entry would be to use your SSH. You won't believe how people use very simple passwords to (in)secure their servers.
You might notice a lot of failed attempts to login to your server, as there is a finite number of IP addresses. One way to combat that, is to use fail2ban. A little piece of software that monitors your log files, and if it identifies someone trying to login repeatedly with a wrong password, bans the IP for the time window you define (by default 10 minutes)
Now, we are going to install fail2ban:
sudo apt-get install fail2ban
fail2ban default config is "jail.conf", but it gets overriden in every update there is. The best way to configure fail2ban is to create a copy, named "jail.local". We will copy everything and comment everything out. We will only uncomment anything that we will use.
awk '{ printf "# "; print; }' /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
I will only show you how to configure SSH on a non standard port. There are predefined rules for apache, nginx and some other very very popular software, you can just uncomment their configuration.
Note: control+W in nano brings up the search functionality. type in JAILS for example, and press enter. pressing again control+W and enter, will do a search for the last term we searched
First, we will locate the bantime variable at around line 59. Uncomment it (remove the # from the front) and change the "600" (or whatever there is after the equals sign) to the time of your liking. It is in seconds, so 600 seconds equal to 10 minutes. I'll leave it at this.
Then, a few lines below, you will see maxretry. If you think 5 retries is very relaxed, remove the # from the front, and change it to whatever. I recommend a minimum of 3 and a maximum of 6.
Using the search method I told you above, locate the [sshd] area (or "jail" as fail2ban names them). It should read:
# #
# # JAILS
# #
#
# #
# # SSH servers
# #
#
# [sshd]
#
# port = ssh
# logpath = %(sshd_log)s
# backend = %(sshd_backend)s
Uncomment EVERYTHING from [sshd] to "backend", and add a line "enabled = true".
also, you'll need to change "port = ssh" to "port = yoursshport".
If your ssh port is 29322, your end result should be this:
# #
# # JAILS
# #
#
# #
# # SSH servers
# #
#
[sshd]
port = 29322
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
Then do service fail2ban restart and you should be good to go!
Next time we will go ahead and setup key authentication, to login without passwords. I was planning to add it on this part of the series, but it got way too long!
Thank you for reading. If you liked my small tutorial, or have any questions, feel free to leave a comment.
If you need a place to host your servers consider Vultr, Digital Ocean and BuyVM.
These are affiliate links. If you sign up through them, you support me and I will have more free time to write more content like this.
Also If you signup for Digital Ocean through my affiliate link, you will get $10 to try them out. Note: to battle abusers of this offer, you'll have to make a $5 deposit via Paypal or add your credit/debit card, so they can confirm that you are a new user. I did a deposit via Paypal to test them out, and then I added my credit card so I won't have to deposit money manually every now and then.
meep
meep
meep
meep
meep
meep