Setup VPS for Linux Noobs!




new password?
login
X
  • Post Last Updated: 24-Sep-13
  • Reason:
    1. changed package manager 'aptitude' to 'apt-get'
    2. added warning re. /etc/network/interfaces.template
    3. more explanatory notes

// vpsBible.com … keeping your web server up-to-date

Harden the Secure Shell (SSH) & Create a Firewall image 1

Let’s solidify the virtual private server by tweaking the OpenSSH security configuration and adding an iptables firewall.

If you’re following this series, you probably just want to get on and set up the web server, add the sites and host away. Sure, understandable.

But just like you don’t build a house on sand, you can’t set up a quality Linux host without first laying a secure foundation, ensuring a strong unmanaged VPS solution.

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

  .. from blank box to cute-as server ..  

with this easy-to-follow copy/paste guide.

22+ parts with video, here’s the index.

In the last part of this series Encrypt Data with OpenSSH & Auto-Login with PuTTY we secured dataflow between our local to remote machines, as well as simplifying the login process. If you’re using Linux locally you followed Setup openSSH for Linux-to-Linux instead and, lucky for you (or more likely thanks to Linux) it was easier.

So here, with a proper connection to support us, we turn our attention to grounding the server. We can do the lot in one go. (And praise be to that, huh ;) .)

Video: Solidify Server & Remote Shell

Watch the, er, guvideo for a better idea of how to do this.


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Harden the Secure Shell (SSH)

Logged in at the CLI, type this to open the SSH configuration file:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

.. If you get a message like:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

.. Or maybe something less cryptic, such as:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

.. then guess what, that’s because we need to install Nano (which is a nice user-friendly text editor). Do this:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

.. and type y for yes when prompted, hitting return. The screen will spiel off and there may be some nagging about your locale not being set properly .. tssk, Linux is soooo impatient .. just pretend it’s the wife and ignore it. (Sorry, female VPS’ers .. you do know I’m only joshin’ huh :P . Well, ish.)

Er, that sudo thing, hmmn …

What the Bejeebers is Sudo?

sudo, prefixing an Ubuntu command, gives our non-root user Super User permissions.

Then, for example, we can make core configuration changes that otherwise we could only perform by logging out, then back in as root (…then back out from root and back in to our regular username.) Wharrapalava!

When you use sudo, you’ll be prompted to give the root user password. That’s a good thing: it means you will be more aware that you are, potentially, playing with fire and, if the answer isn’t here, ‘cue Google’.

Right, so that’s all pretty crystal. Forgot where I was now. Oh yes, we did this:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

In this config file, find and change the following values. Here’s a little detail, too, if you really want to know:-

  • Port 22
  • - change from default 22 (and puzzle hackers), ie to “Port 54321″. (Don’t use 54321, that’s remotely obvious too.)
  • PermitRootLogin yes
  • - change “yes” to “no”. Makes root login impossible. *
  • PasswordAuthentication yes
  • - uncomment the line (lose the #) and change “yes” to “no”. Prevents login using a password, now unnecessary with OpenSSH keys. **
  • X11Forwarding yes
  • - change “yes” to “no”. X11 is a protocol enabling a GUI option.
  • UsePAM yes
  • - change “yes” to “no”. PAM is a password authentication agent.

And add 2 lines at the end of the file:-

  • UseDNS no
  • - new line. This prevents possible reverse host lookup problems.
  • AllowUsers $USER
  • - substitute “$USER” for your username, such as bob. More users? Add the usernames alongside, separated by single spaces, so looking like this ..

    AllowUsers bob alice graphicsguy root

    .. but very rarely – and usually never – will you want to add the superuser, root, to this list.


* With some unmanaged VPS providers like Linode or Slicehost, you can use the Ajax Console to login as root, in case of emergency.

** If you want to connect to your Linux distro from computers other than your main Windows box, using your user password rather than the PuTTY authentication keys, leave this set to “no”.

We’ll reload SSH to realise these changes. But first…

Set Up A Firewall Using iptables

iptables is a firewall & routing service, pretty much, set out via a bunch of rules. We’ll configure it on a pretty basic but essential level. You’ll need root, Super User permissions to toy with this, so type:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

After confirming the root password, save the pre-existing ruleset:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

…if that command throws an error, maybe your iptables aren’t installed yet. Try this:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Complete the installation, then have another go:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Create this blank file:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

…and paste this lot, below, into that blank file, to create our firewall:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Before saving the file, you have to make one change. Look for the line…


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

…and change the Port 30000 to the port number you added above. Can’t remember? Hey, it’s in the sshd_config file. It had said Port 22. In my example, I changed it to 54321, so I would replace 30000 with, er, 54321! Damn, this is easy.

Of course, you may have more specific firewall requirements. Hmmn, that’s another tutorial, but iptables and Google go well together. Probably it’s not a bad idea to revisit your iptables later on, anyway.

Save that open file by hitting CTRL-X, then Enter.

Let’s execute our new ruleset:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

We’ll tweak a file to ensure the new rules are remembered after reboots. Open:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

IMPORTANT – WARNING: Do not edit this file

If – but only if – you see this message at the top of your interfaces file ..


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

.. then DO AS IT SAYS or else you could be locked out of your server ..


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

OK, having worked out which file to edit, look for this line:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

…and add this line after it:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Save and close.

Testing SSH

NOTE: Don’t logout from the CLI. JUST DON’T! Yet.

Reload SSH, enabling those new settings from above:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

What you do now depends on whether, locally, you’re a Linus Torvalds fan or whether you’re stuck with that Gates bloke.

I’m a Sensible Linux Person and Really Smug About It


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

.. where:-

  • -p says we’re about to specify a non-default port
  • 54321 is your new port as designated in the sshd config file
I Love Viruses Oh God It’s Blue Screened Again

Obviously, this takes longer ..

Open PuTTY. If you’ve followed Encrypt Data with OpenSSH & Auto-Login with PuTTY of this series – you did do that, didn’t you?! – then right-click the Pageant icon (the monitor wearing the hat, looks like a spaghetti western character, minus his cheroot) and click New session. If you didn’t follow the Part 5, I guess you know what you’re doing ;)

Right, we need to make one simple change in our PuTTY configuration, to the Saved session profile we created in Encrypt Data with OpenSSH & Auto-Login with PuTTY. Do this:-

Click on your new Saved session profile (mine was called guv Session in the video, if that helps), then click Load.

In the Port field that currently says 22, you got it, add the new port number. My new number is 54321.

Now click Save.

Cross your fingers.

Double click the Saved session profile. All being well, you’ll get another one of those security alerts, that we saw in Set Up the Command Line Interface (CLI) using PuTTY. Click Yes. You’re in. Great, you can log in and out, at will.

If that didn’t work for you, retrace your steps, using that CLI we kept open. (You may need more caffeine.) In a worst case scenario, as I said above, many VPS providers have an emergency shell access. Linode, for example, has their Ajax console.

Fast Fwd

That’s it for the firewall and securing your Linux box with an advanced SSH configuration. In Edit bashrc for User-Friendly Linux, plus System Updates we’ll carry out some general housekeeping, making the CLI more user-friendly and updating the system and locale. Then in PHP5, MySQL and Xcache we’re really cooking on gas before, in Add a Domain Zone to Your VPS, we well on the way to adding our first test site and getting generally far too excited.

Hey, here’s the index…

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

with this easy-to-follow copy/paste guide.

“My local PC runs Windows” Show me for Linux/Mac

22+ parts with video, here’s the index ..

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Already set it up? We’d best maintain it then.

Toggle to the ..  Ubuntu-Nginx Admin Index

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Maintain your virtual private server with ..

.. cheatsheets, tutorials, tips & guides.

Head back to the ..  Ubuntu-Nginx Installation Index

Nginx Admin: In the Works ..

This lot’s marked for addition already:-

  • Setup or Edit DNS using Bind
  • Network Tools Troubleshooting Guide
  • The Comprehensive Permissions Guide
  • Configuring Nginx Rewrites
  • Custom Website Error Page
  • Setting up Cron Jobs
  • Rsync for Incremental Remote-to-Local Backup
  • Cron & Rsync for Automatic Backup
  • Cron & mysqldump for Auto DB Backup
  • Safeguard Bandwidth with Hotlink Protection
  • Block Access with Nginx’ IP Deny



Got a Question? Want to Comment?

This site has no comments system. We've got a better system!

Please use the link at the top of the post and goto this topic's forum thread:-

  • to help build community
  • for a superior knowledge base
  • to keep info in one place, not diluted between forum & comments.

For those posts ported from Guvnr.com (pre-Feb/2010), archive comments remain.

Handy info from these comments is in the process of being ported to the forum and attributed to the original author.

If you think this idea sucks, let me know.

Thank you.

  • Install/Upgrade WORDPRESS with SUBVERSION - VPS Bible #15 - GUVNR June 8th, 2009 at 9:38 am

    [...] Part 6: * Harden the Secure Shell (SSH) & Create a Firewall [...]

  • Chris Foster June 9th, 2009 at 2:06 pm

    Following on from my earlier comment reagarding losing putty access, it dawned on me that I changed the SSH port and didn’t change it in the putty client…doh!

    Back to part 11…yahoo!

    Cheers,

    Chris

  • the_guv June 9th, 2009 at 2:12 pm

    LOL – I nearly asked about that but figured, hey, Chris already got to Part 13, he must’ve done that!! Crack on m8…enjoy.

  • Jason July 13th, 2009 at 5:59 pm

    when configuring the ip tables just ‘su’ didn’t work for me, I needed to do ‘sudo su’.

  • the_guv July 14th, 2009 at 12:43 am

    @Jason .. well, hmmn. sounds like a permissions error. i’d retrace those steps with a fine toothcomb. any more detail, like what deviations you’ve made from the series, and maybe i or others can help more.

  • Ben September 18th, 2009 at 3:43 pm

    Worked perfectly, thanks – liked the bit about creating a new session incase you make a mistake! Was suprised I didnt, and it logged me in again fine – bonza.

  • Robert October 15th, 2009 at 9:09 pm

    I don’t know where that previous message went.
    Anyway the problem with the hanging reload of the iptables with the test file was traced back to the status NEW matching with the new SSH port.
    Remove that status matching and the rules set will load flawlessly.
    Jeff and Rob at Rackwire found this out.

    I want to add to this that the adding the line to load the chains with the new rules set to /etc/network/interfaces didn’t survive a reboot/restart of the container. I’m not on Xen.
    The comment lines at the top of that file read :
    QUOTE
    # This configuration file is auto-generated.
    # WARNING: Do not edit this file, otherwise your changes will be lost.
    # Please edit template /etc/network/interfaces.template instead.
    UNQUOTE

    But this is a great learning experience.
    I’m enjoying the ride.

  • the_guv October 15th, 2009 at 9:27 pm

    @Robert .. thank you, pleased you’re enjoying. Much more to come too .. writing a bunch of admin guides right now.

    Clearly a bit of house-keeping for me there then. In the midst of a move to the Middle East, but will test and apply these fine tips, soon as. Appreciate that feedback.

    Dunno what happened to your msg .. probably caught in Akismet’s spam filter. Hmmn, must go and have a wade in there too .. hate doing that, trawling the spam page is a bit like wandering through a red light district :P

  • Robert October 17th, 2009 at 7:49 pm

    @theguv:
    Looking forward to the admin guides.

    Yeah Akismet, sometimes too much of the wrong censorship. You noticed where I’m from then ?

    No, not housekeeping for you. More likely for me.
    Are you going to Rake in the money?
    Don’t forget about us.

    Hope that your move to Dubai is a smooth one.

  • Robert October 20th, 2009 at 8:09 pm

    Apologies coming your way.
    There is absolutely nothing wrong with your rules set.
    It bugged me to no end that the rules set didn’t work out of the box. So I traced and debugged the problem (in my own way).
    I traced the problem back to the connection tracking part of iptables not being enabled.
    ip_tables iptable_filter ip_conntrack ip_conntrack_ftp ipt_state ipt_LOG
    Like I said, I’m not on Xen. And that was the other part of the problem.
    On sh.tty Virtuozzo you do not run your own kernel.
    So these modules have to be loaded from the default vz. They “forgot” to add them to the file /etc/vz/conf/199.conf with IPTABLES=
    Making this rule useless (not being honored/executed) :
    -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
    And me having to remove the status NEW checking from this rule :
    -A INPUT -p tcp -m state –state NEW –dport 30000 -j ACCEPT
    Otherwise this last rule would hang up the whole VPS and all open SSH sessions when iptables_restore.
    Making a reboot necessary. (Luckily the rules set was not booted yet at start up.)
    Also apt-get update (to archive.ubuntu.com:80) would timeout because of this.

    There were some more screw ups with my manually setup private nameservers. This is supposed to be fully managed. I canceled and left screaming/angry.

    Four days lost for ever.

  • the_guv October 23rd, 2009 at 8:55 am

    tx Robert .. am here in the UAE now. Kind of weird .. got here to find my site is censored! Something to do with the fact I have some tutorials showing people how to proxy!!

    Ironically, I have another such guide scheduled to publish today. I will not stop it as it was published from Spain, so I have broken no law.

    This is rather strange though. In the west, we are so used to freedom of speech, relatively at least. Suddenly, I am having to reevaluate my position, legally. For sure I do not want to end up like something out of Midnight Express.

    Will be posting about this ..

  • the_guv October 23rd, 2009 at 8:58 am

    @Robert .. damn and blast :P Pleased you got sorted.

    And thank you for posting this feedback .. may well be handy to some.

  • Robert October 29th, 2009 at 4:33 am

    Hi guv!

    Had a bad cold to shake off.

    That’s a bummer with your site being censored.
    You are right, just keep at what you are doing.
    Same thing with the Chinese Governement and censorship. Blogger, WordPress.com, Tumblr, all blocked. But their people are using VPN tunnels to circumvent the blocked internet.
    Don’t take this as a hint for a next article.
    Or you might end up in something like Midnight Express.

    Are you settling in nicely ?

  • Robert October 29th, 2009 at 5:04 am

    How did you manage to post those comments ?
    Is only a certain portion of your site censored, not the whole site ?

  • the_guv October 29th, 2009 at 11:49 am

    Hi Robert, thank you .. your comments are encouraging.

    “people are using VPN tunnels to circumvent the blocked internet” .. but I do take that as a superb hint for a future post! It’s good to hear people as passionate as me about freedom of information.

    Pidgeons aside, there are three ways I could be updating my site, as it is all, completely 100% blocked:-

    - logging into my VPS and working directly, remotely, in the database (cos hey, the website is merely a frontend for a server .. and these oppressive types don’t seem to block an entire IP for some reason, just domain names)
    - working remotely using a database client, which would simply give me a shiny GUI version of the above
    - using a proxy after all and, well, fibbing a bit .. but clearly I simply couldn’t do that. Just a bit too blatent, no?

    .. Take your pick! For sure, each method would work.

  • Thanh November 18th, 2009 at 10:29 pm

    I’m trying to use SMTP to email my users via gmail. How do I unblock SMTP port 465?

  • HOW-TO SSH - Secure Server & Encrypt Data - VPS ADMIN #3 - GUVNR November 25th, 2009 at 10:42 am

    [...] *** for this, edit your sshd_config file. Read the appropriate section in my tutorial Harden the Secure Shell (SSH) & Create a Firewall. [...]

  • SSH & PuTTY Authentication Keys: Hide Data & Easy Login: VPS BIBLE - vpsBible February 10th, 2010 at 5:01 pm

    [...] Because you no longer need it, we can disable your VPS’ password access. (A little tweak in Harden the Secure Shell (SSH) & Create a Firewall.) [...]

  • SECURE SSH KEY SETUP 4 LINUX: local-PC-to-remote-server: VPS BIBLE - vpsBible February 27th, 2010 at 12:10 am

    [...] *** for this, we must also edit the sshd_config file. We’ll get to that in Harden the Secure Shell (SSH) & Create a Firewall. [...]

  • Install/Upgrade WORDPRESS with SUBVERSION: VPS BIBLE - vpsBible July 7th, 2010 at 6:31 pm

    [...] …While I’m nagging, if you’ve not already, you should also carry out Harden the Secure Shell (SSH) & Create a Firewall. [...]

  • EASY SCRIPT: Install LEMP with PHP-FPM on an Ubuntu VPS: VPS BIBLE - vpsBible September 20th, 2010 at 2:07 pm

    [...] Harden the Secure Shell (SSH) & Create a Firewall [...]

  • !TOP CAT! Auto-Install LEMP (Nginx+PHP-FPM) Stackscript: VPS BIBLE - vpsBible September 20th, 2010 at 2:10 pm

    [...] Harden the Secure Shell (SSH) & Create a Firewall [...]

  • STACKSCRIPT! Auto-Install LEMP with PHP-FPM: VPS BIBLE - vpsBible September 20th, 2010 at 3:32 pm

    [...] Harden the Secure Shell (SSH) & Create a Firewall [...]

  • STACKSCRIPT! Auto-Install LEMP (Debian/Nginx/PHP-FPM): VPS BIBLE - vpsBible September 20th, 2010 at 3:45 pm

    [...] Harden the Secure Shell (SSH) & Create a Firewall [...]