If you are setting up a new server here are some basic but crucial steps that are needed to be prepare your Ubuntu 14.04 for running securely and smoothly.
0. Remove Ubuntu and install Debian :)
Step 0 was added by popular demand by few senior admins who suggested not to ever use Ubuntu as server :)
I can't argue with that, when I have the choice I usually install Debian or Centos, depending of the task or service which will be used.
1. Make sure server is updated
apt-get update && apt-get upgrade
2. Change ssh service to different port, add your public key and disable password logins.
Port 22 to some port you will remember :) Best to use some random port in range 10000-65535. We will call this number
Changing ssh port won't give you added security if you are attached by a targeted attack, but it will definitely lover the noise in your logs because most scripts just try ssh on port 22 an move along if they don't find service running on port 22.
Copy your public ssh key from
~/.ssh/id_rsa.pub to your servers
/etc/ssh/sshd_config and change
3. Install, configure and enable fail2ban
apt-get install fail2ban vim /etc/fail2ban/jail.conf
86400, scroll down to
[ssh] part and change
port = 22 to
Now enable fail2ban so it start on boot:
update-rc.d fail2ban enable
And then check to see the status of how many IPs you have caught and blocked:
fail2ban-client status ssh
4. Install and configure nullmailer
Nullmailer is an awesome software, simple, elegant, secure, small and gets the job done. If you have a dedicated server for email, or want to use your service providers email server, or even Gmail to send out mails then
nullmailer is what you want.
apt-get install nullmailer
Make sure you use secure ways of connecting to you
smtp server, for example if you use Gmail then your
/etc/nullmailer/remotes should look like this:
smtp.gmail.com smtp --port=587 --auth-login --email@example.com --pass=Yourpassword --starttls
5. Block all ports
Use these simple iptables settings to close all ports, except your
<ssh-port>, of course.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport <ssh-port> -j ACCEPT iptables -P INPUT DROP
Now save your rules:
iptables-save > /etc/iptables
/etc/rc.local so your iptables firewall rules are loaded on boot, add this line before
iptables-restore < /etc/iptables
Bonus: 6. Change locale
If you use German VPS providers like me then you won't be surprised that defualt locale is set to
LANG=de_DE.UTF-8. Interestingly enough Ubuntu documentation for changing default locale is lacking crucial information. First install locale you need:
apt-get install language-pack-en
To check installed locales on your system list them with:
On Debian build and configure locales with this command:
For Ubuntu change default locale by editing these two files:
I changed from
LANG="en_US" and also
export LANG="de_DE.utf8" export LANGUAGE="de_DE.utf8" export LC_ALL="de_DE.utf8"
export LANG="en_US.utf8" export LANGUAGE="en_US.utf8" export LC_ALL="en_US.utf8"