In a previous article, we went through the steps of setting up a LAMP server, and a PrestaShop e-commerce solution. The next step here is to lock down our server and secure it.
Security isn’t just important for keeping your services and web pages running, it is also crucial to protect sensitive data. Some servers have data ranging from personal names, passwords, email addresses, essential login credentials, credit card numbers, banking credentials and information, addresses, and social security numbers. It is crucial to maintain security no matter what data and how small is on your system. Even protecting your uptime and services can be crucial as downtime cost money for any business.
In our previous articles, we left off with server install and setup. The next thing to do is to secure our SSH login. To do this, we open up the config file as follows…
sudo nano /etc/ssh/sshd_config
Make the following changes….
- change the default port number. The default port 22 on a public server is easily recodnizable as remote login by brute force attackers.
- secondly, disable root login. (PermitRootLogin no)
- Now, set (X11Forwarding no)
- Now, we can either set “AllowUsers username1 username2” if your list is small, or as an alternative for systems with many / multiple remote connected users, “AllowGroups remoteConnection”.
- You can create the group with the following command…
- Add an users to remoteConnection group with the following command…
sudo usermod -a -G remoteConnection user1
The next step is our firewall. By default, TTOS Linux uses iptables + ufw. If you are using another debian or ubuntu based operating system, you can install this with the following command…
sudo apt-get install iptables ufw
After this is installed, we need to set up some rules. First, we need to edit the openssh config file and change the port to the new port that we assigned when configuring ssh. The command to open the file in our editor is the following…
sudo nano /etc/ufw/applications.d/openssh-server
From here, we simply change the port and save the file.
The next step is to add some rules.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
If your server does not connect to ssh with this rule, this means that the config file in the applications.d folder was not properly set up. In this case, you can simply manually add the port rule. And this method works with any application if you know the ports. Use the following command and change port 22 to the port number needed…
sudo ufw allow 22/tcp
If you wanted to ban a specific IP from connecting, you can do it like this…
sudo ufw deny 0.0.0.0
To view ports used, disable firewall with…
sudo ufw disable
Run all programs and services requiring network access. Then type the following…
sudo netstat -tulpn > ~/netstat.txt
Enable firewall with…
sudo ufw enable
Now, open netstat.txt with nano, and write down all ports of programs that aren’t working. Then simply enable the port with tcp or udp as shown previously.
Next step is to set up a simple but very effective Host Intrusion Detection System and Host Intrusion Prevention System. There are many to choose from, and you can run multiples types. My favorite is one in server use would have to be fail2ban. fail2ban works by monitoring log files in real time for filtered events. For example, the usage we will be setting up here is monitoring the auth.log for failed login attempts. When a few consecutive login attempts are made within a specified time, the IP address is jailed for a set amount of time. You can set the jail to infinite but this causes issues when someone legitimately forgot their login credentials and locked themselves out. Another reason is that many publicly used IP addresses are dynamic and constantly reassigned. So, if you ban an IP, the next person to get the IP won’t be able to access your website or web services until their IP is refreshed with one not blacklisted. I personally prefer periodic checking of the logs and you can manually perma ban repeat offenders. Tripwire is another favorite, but you can setup other IDS’s on the system with fail2ban as you wish.
First off, lets install it with the following command…
sudo apt-get install fail2ban
By default, fail2ban interacts directly with iptables. We previously set up ufw, so we are going to edit fail2ban to interact directly with ufw instead. We open the config file as follows…
sudo nano /etc/fail2ban/jail.conf
Now, look for the ssh jail and edit it to the following….
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
action = ufw-ssh
bantime = 600
The next thing to do is to create the ban action for ufw-ssh.
sudo nano /etc/fail2ban/action.d/ufw-ssh.conf
Next is to fill it with valid rule set to use ufw instead of iptables. Paste the following into the file and save it…
actionban = ufw insert 1 deny from <ip> to any app OpenSSH
actionunban = ufw delete deny from <ip> to any app OpenSSH
Normally, we would restart individual services with sudo service servicename reload or sudo service servicename restart, however since we changed a few services and we want to make sure everything is still configured after boot up, we want to reboot the system and make sure all changes are in effect. We do this with the following command…
sudo init 6
Now, we can wait and check status. It was only minutes from server uptime that i recieved my first 3 bans. You can check status of ban and firewall rules with the following commands…
sudo ufw status
sudo fail2ban-client status
sudo fail2ban-client status ssh
if “sudo fail2ban-client status” does not list ssh as a currently running jail, you can add it with the following command…
sudo nano /etc/fail2ban/jail.local
Under the SSH jail section, set
enabled = true
Now we need to restart fail2ban. Personally, on TTOS Linux, I have issues with just fail2ban restarting and reloading, so I use the following two commands to reload the configuration…
sudo service fail2ban stop
sudo service fail2ban start
Now we can check the status again and ensure that the ssh jail is enabled. And when you see a jailed IP listed in the fail2ban status for ssh, you should see a rule added to ufw for the same IP. This means it is blocking repeated failed login attempts effectively rendering brute force attacks useless!