p[]
08-14-2007, 02:32 PM
Hello! I thought it might be nice to post some tutorials written for VPS's by staff at Spry. Normally we just keep all this content in our Wiki/Blog/Forums, but thought we'd see how you all like it. Let me know if you want to see more articles like this posted here! This is my first one, so let me know any feedback you have about the content. :)
Original Article at VPSLink (http://wiki.vpslink.com/index.php?title=HOWTO:_Base_installation_and_configuration)
By: Paul Tomes
Scenario
You've chosen Debian 4.0 Etch as your VPS operating system and you want complete control over what is installed and you want control of the security of your server from the very start.
Aim
To take you from a brand new (or reinstalled) Debian 4.0 Etch VPS to a secure working environment in as short a time as possible. SSH will be locked down and a basic firewall constructed closing all ports not in use.
Steps
Firstly, log into your Control panel at https://cp.vpslink.com.
Select the relevant server and follow the links as shown below to install Debian 4.0 Etch:
Manage Server -> Manage OS -> Install OS -> Select Debian 4.0 "Etch" -> confirm change
Wait for the process to complete.
Of course if you do not have a VPSLink account, the method is the same for whatever host you are using.
If this is a VPS reinstall you will need to delete the entry for the IP address in your known_hosts file. This is located on your LOCAL workstation.
In this example, I used nano as my text editor:
nano ~/.ssh/known_hosts
Do note that the location of the known_hosts file may vary depending on the OS you have on your LOCAL workstation.
Log in
Once you have deleted the old entry for your IP address, log in to your VPS:
ssh root@123.45.67.890
Note that the initial password is the same as your Control Panel password
You can change this (HIGHLY recommended):
Manage Server -> Change Root Password -> enter new password
Add user
Add your main user. In this example, the username is 'onion':
adduser onion
This will procedure will place 'onion' in a new group, also called 'onion'.
Sudo
At the moment we are logged in as the root user. This is only for a very short time and will never happen again. As such, we need to give the main user 'sudo' privileges which will enable them to administer the VPS without the security risk of allowing the root user to log in.
aptitude install sudo
Don't worry about the locale warnings at the moment - we will fix that shortly
Now give the main user sudo privileges:
visudo
Add your main user at the bottom of the file like so:
onion ALL=(ALL) ALL
authorized_keys
Create a 'hidden' file in the new user's home directory:
mkdir /home/onion/.ssh
Now, using the secure 'scp' command, copy the public SSH key from your LOCAL workstation to the VPS. This is so we don't have to enter our password every time we log in via SSH:
scp -2 /home/localuser/.ssh/id_rsa.pub root@123.45.67.890:/home/onion/.ssh/authorized_keys
Again, note that the location of the id_rsa.pub file may differ depending on your LOCAL workstation's OS.
Change permissions on the ssh directory so that it is not readable by anyone else (although this is only the public key and be no use to anyone else unless they have your private key which is located on your LOCAL workstation):
chown -R onion:onion /home/onion/.ssh/
chmod go-w /home/onion/
chmod 700 /home/onion/.ssh
chmod 600 /home/onion/.ssh/authorized_keys
sshd_config
Configuring SSH is the next step. Open /etc/ssh/sshd_config in your favorite text editor:
nano /etc/ssh/sshd_config
The following code shows the lines you will want to change/add:
Port 30000 # change to a port of your choosing
PermitRootLogin no
PasswordAuthentication no # ONLY change if using authorized_keys as above
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers onion
Each line is fairly self explanatory, but in summary the changes will set the SSH port to one of our choosing, stop root logins and stop any password logins (this is a great security precaution as it only allows logins from machines with the SSH private key as outlined above). The other changes speed up SSH on some systems and, finally, it allows login from the named user only.
Next, reload SSH so the changes are affected:
/etc/init.d/ssh reload
test SSH
Don't log out yet - we need to test the new configuration!
Open a new connection from your LOCAL workstation and log in as the new user using the new port number:
ssh -p 30000 onion@123.45.67.890
Once logged in (showing that all is well with the new SSH configuration), exit from the root terminal:
exit
Now you should have one terminal open - your user's SSH connection on port 30000.
iptables
Now we are some way to have a secure base to work from.
Now we can create a very simple firewall using iptables. This will block all unused portsand log any unauthorized attempts to log into the VPS:
sudo -i
VPSLink already has iptables installed so we just save any existing rules to a 'master' file:
iptables-save > /etc/iptables.up.rules
Now see what rules are already configured:
iptables -L
The output will be similar to this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This allows anyone access to anything from anywhere.
New iptables rules
Let's tighten that up a bit by creating a test iptables file:
nano /etc/iptables.test.rules
In this file enter some basic rules:
<pre>
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
</pre>
That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.
Activate these new rules:
iptables-restore < /etc/iptables.test.rules
And see the difference:
iptables -L
Now the output tells us that only the ports defined above are open. All the others are closed.
Once you are happy, save the new rules to the master iptables file:
iptables-save > /etc/iptables.up.rules
iptables test
Don't log out!!!
You will need a working connection in case we messed up the firewall somehow - once locked out there is no way back in.
Open new terminal and try and log in now the basic firewall rules are there:
ssh -p 30000 onion@123.45.67.890
Once you can log in, close the second window as we know we can log in with the iptables rules in place and running
reboot configuration
To make sure the iptables rules are started on a reboot we'll create a new file:
nano /etc/network/if-pre-up.d/iptables
Add these lines to it:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
The file needs to be executable so change the permissions:
chmod +x /etc/network/if-pre-up.d/iptables
Finally
Finally, type in:
exit
Now we are back in the terminal as the normal user.
If you want to test the firewall rules on a reboot then go ahead (this may be an good idea as you don't want to find out later that it didn't work due to a simple typing error)
Log into your Control panel at https://cp.vpslink.com.
Manage Server -> Reboot Server
Once done, log in again in the usual manner:
ssh -p 30000 onion@123.45.67.890
Summary
Seems like a lot of work and it may seem that not a lot has happened.
However, once you are happy with what you are doing this only takes 2 or 3 minutes at the most and a great deal has happened.
SSH has been locked down very tightly allowing for a much more secure log in system and we have the start of a good firewall system with the iptables configuration. Sure it's basic right now but it does the job of blocking ports that are not being used.
Original Article at VPSLink (http://wiki.vpslink.com/index.php?title=HOWTO:_Base_installation_and_configuration)
By: Paul Tomes
Scenario
You've chosen Debian 4.0 Etch as your VPS operating system and you want complete control over what is installed and you want control of the security of your server from the very start.
Aim
To take you from a brand new (or reinstalled) Debian 4.0 Etch VPS to a secure working environment in as short a time as possible. SSH will be locked down and a basic firewall constructed closing all ports not in use.
Steps
Firstly, log into your Control panel at https://cp.vpslink.com.
Select the relevant server and follow the links as shown below to install Debian 4.0 Etch:
Manage Server -> Manage OS -> Install OS -> Select Debian 4.0 "Etch" -> confirm change
Wait for the process to complete.
Of course if you do not have a VPSLink account, the method is the same for whatever host you are using.
If this is a VPS reinstall you will need to delete the entry for the IP address in your known_hosts file. This is located on your LOCAL workstation.
In this example, I used nano as my text editor:
nano ~/.ssh/known_hosts
Do note that the location of the known_hosts file may vary depending on the OS you have on your LOCAL workstation.
Log in
Once you have deleted the old entry for your IP address, log in to your VPS:
ssh root@123.45.67.890
Note that the initial password is the same as your Control Panel password
You can change this (HIGHLY recommended):
Manage Server -> Change Root Password -> enter new password
Add user
Add your main user. In this example, the username is 'onion':
adduser onion
This will procedure will place 'onion' in a new group, also called 'onion'.
Sudo
At the moment we are logged in as the root user. This is only for a very short time and will never happen again. As such, we need to give the main user 'sudo' privileges which will enable them to administer the VPS without the security risk of allowing the root user to log in.
aptitude install sudo
Don't worry about the locale warnings at the moment - we will fix that shortly
Now give the main user sudo privileges:
visudo
Add your main user at the bottom of the file like so:
onion ALL=(ALL) ALL
authorized_keys
Create a 'hidden' file in the new user's home directory:
mkdir /home/onion/.ssh
Now, using the secure 'scp' command, copy the public SSH key from your LOCAL workstation to the VPS. This is so we don't have to enter our password every time we log in via SSH:
scp -2 /home/localuser/.ssh/id_rsa.pub root@123.45.67.890:/home/onion/.ssh/authorized_keys
Again, note that the location of the id_rsa.pub file may differ depending on your LOCAL workstation's OS.
Change permissions on the ssh directory so that it is not readable by anyone else (although this is only the public key and be no use to anyone else unless they have your private key which is located on your LOCAL workstation):
chown -R onion:onion /home/onion/.ssh/
chmod go-w /home/onion/
chmod 700 /home/onion/.ssh
chmod 600 /home/onion/.ssh/authorized_keys
sshd_config
Configuring SSH is the next step. Open /etc/ssh/sshd_config in your favorite text editor:
nano /etc/ssh/sshd_config
The following code shows the lines you will want to change/add:
Port 30000 # change to a port of your choosing
PermitRootLogin no
PasswordAuthentication no # ONLY change if using authorized_keys as above
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers onion
Each line is fairly self explanatory, but in summary the changes will set the SSH port to one of our choosing, stop root logins and stop any password logins (this is a great security precaution as it only allows logins from machines with the SSH private key as outlined above). The other changes speed up SSH on some systems and, finally, it allows login from the named user only.
Next, reload SSH so the changes are affected:
/etc/init.d/ssh reload
test SSH
Don't log out yet - we need to test the new configuration!
Open a new connection from your LOCAL workstation and log in as the new user using the new port number:
ssh -p 30000 onion@123.45.67.890
Once logged in (showing that all is well with the new SSH configuration), exit from the root terminal:
exit
Now you should have one terminal open - your user's SSH connection on port 30000.
iptables
Now we are some way to have a secure base to work from.
Now we can create a very simple firewall using iptables. This will block all unused portsand log any unauthorized attempts to log into the VPS:
sudo -i
VPSLink already has iptables installed so we just save any existing rules to a 'master' file:
iptables-save > /etc/iptables.up.rules
Now see what rules are already configured:
iptables -L
The output will be similar to this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This allows anyone access to anything from anywhere.
New iptables rules
Let's tighten that up a bit by creating a test iptables file:
nano /etc/iptables.test.rules
In this file enter some basic rules:
<pre>
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
</pre>
That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.
Activate these new rules:
iptables-restore < /etc/iptables.test.rules
And see the difference:
iptables -L
Now the output tells us that only the ports defined above are open. All the others are closed.
Once you are happy, save the new rules to the master iptables file:
iptables-save > /etc/iptables.up.rules
iptables test
Don't log out!!!
You will need a working connection in case we messed up the firewall somehow - once locked out there is no way back in.
Open new terminal and try and log in now the basic firewall rules are there:
ssh -p 30000 onion@123.45.67.890
Once you can log in, close the second window as we know we can log in with the iptables rules in place and running
reboot configuration
To make sure the iptables rules are started on a reboot we'll create a new file:
nano /etc/network/if-pre-up.d/iptables
Add these lines to it:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
The file needs to be executable so change the permissions:
chmod +x /etc/network/if-pre-up.d/iptables
Finally
Finally, type in:
exit
Now we are back in the terminal as the normal user.
If you want to test the firewall rules on a reboot then go ahead (this may be an good idea as you don't want to find out later that it didn't work due to a simple typing error)
Log into your Control panel at https://cp.vpslink.com.
Manage Server -> Reboot Server
Once done, log in again in the usual manner:
ssh -p 30000 onion@123.45.67.890
Summary
Seems like a lot of work and it may seem that not a lot has happened.
However, once you are happy with what you are doing this only takes 2 or 3 minutes at the most and a great deal has happened.
SSH has been locked down very tightly allowing for a much more secure log in system and we have the start of a good firewall system with the iptables configuration. Sure it's basic right now but it does the job of blocking ports that are not being used.