Secure the SSH Server and the Firewall
Login with putty or any other ssh client as root with your assigned password
ssh root@173.203.206.78
You can change your root password if you need to with the following command:
passwdAdd your own user:
adduser jdoe
If you want that sudo su command not to ask for a password:
visudo
Add the following line at the end of the file
jdoe ALL=NOPASSWD: ALLI am logging in from Windows so I used Putty and Puttygen to create a new PPK key in order to log in Issue the following commands:
mkdir /home/jdoe/.ssh
Add the public key into your authorized_keys file:
vi /home/vlad/.ssh/authorized_keys
Secure the files:
chown -R jdoe:jdoe /home/jdoe/.ssh chmod 700 /home/jdoe/.ssh chmod 600 /home/jdoe/.ssh/authorized_keys
Now you have to configure the SSH Daemon:
vi /etc/ssh/sshd_config
And change the following lines:
Port 34567 PermitRootLogin no PasswordAuthentication no X11Forwarding no UsePAM no UseDNS no AllowUsers jdoe
Also make sure that AuthorizedKeysFile %h/.ssh/authorized_keys is uncommented
Restart your sshd service or your server.
sudo /etc/init.d/sshd restart
That concludes the SSH configuration for a password-less log in to your VPS. In this way you get rid of those brute force attacks. I recommend that you change the key regularly and take really good care of it. The next step is to set the static IP and the firewall
vi /etc/resolv.conf
Add the following lines corespondingto your provider or modify the existing ones:
domain members.linode.com search members.linode.com nameserver 72.14.179.5 nameserver 72.14.188.5 options rotate
vi /etc/network/interfaces
Add the following lines to set-up your static IP:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 72.14.181.251
netmask 255.255.255.0
gateway 72.14.181.1
pre-up iptables-restore < /etc/iptables.up.rules
auto eth0:0
iface eth0:0 inet static
address 192.168.146.28
netmask 255.255.128.0Create your firewall rules file. This is a basic configuration:
vi /etc/iptables.up.rules
*filter # Dropping incoming connections that don't have explecit rules bellow :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Loopback -A INPUT -i lo -p all -j ACCEPT -A OUTPUT -o lo -p all -j ACCEPT # Allow established connections for both public and private connections -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Block Bad Stuff -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets: " -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets: " -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan: " -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Allow ping -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Opening ports wide open -A INPUT -p tcp -m tcp --dport 34567 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Log everything else -A INPUT -j LOG -A FORWARD -j LOG # Commmiting the rules to the firewall COMMIT
Setup you host name:
vi /etc/hosts
127.0.0.1 localhost 173.203.206.145 subdomain.yourdomain.com
echo subdomain.yourdomain.com > /etc/hostnameAnd now let's prepare the system for future installations:
dpkg-reconfigure dashWhen asked to "Install dash as /bin/sh?", answer No. Add the following line to your .bashrc. I added it to both the root and the jdoe user.
vi ~/.bashrc
export PS1='\[\033[0;35m\]\h\[\033[0;33m\] \w\[\033[00m\]: '
Also you can add the following aliases in order to speed things up:
alias free="free -m" alias update="sudo aptitude update" alias install="sudo aptitude install" alias upgrade="sudo aptitude safe-upgrade" alias remove="sudo aptitude remove"
Make the changes permanent with:
source ~/.bashrc
I repeat, the conficuration above is for the root user. You can copy the file to whatever user you have:
cp ~/.bashrc /home/jdoe/
The next step is to install updates. Make sure that all your lines for universe repositories are uncommented in your /etc/apt/sources.list file After that
aptitude updatelocale-gen en_US.UTF-8 /usr/sbin/update-locale LANG=en_US.UTF-8
aptitude upgradeInstall a few programs:
aptitude install vim-nox binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.7-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential
You can now safely reboot your server. You are prepared for the next step.
