October 24, 2015

Five steps every new Debian or Ubuntu server needs

Five steps every new Debian or Ubuntu server needs

If you are setting up a new server here are some basic but crucial steps that are needed to be prepare your Ubuntu 14.04 for running securely and smoothly.

0. Remove Ubuntu and install Debian :)

Step 0 was added by popular demand by few senior admins who suggested not to ever use Ubuntu as server :)
I can't argue with that, when I have the choice I usually install Debian or Centos, depending of the task or service which will be used.

1. Make sure server is updated
apt-get update && apt-get upgrade
2. Change ssh service to different port, add your public key and disable password logins.
vim /etc/ssh/sshd_config

change from Port 22 to some port you will remember :) Best to use some random port in range 10000-65535. We will call this number <ssh-port>.

Changing ssh port won't give you added security if you are attached by a targeted attack, but it will definitely lover the noise in your logs because most scripts just try ssh on port 22 an move along if they don't find service running on port 22.

Copy your public ssh key from ~/.ssh/id_rsa.pub to your servers /root/.ssh/authorized_keys file.

Edit /etc/ssh/sshd_config and change

#PasswordAuthentication yes


PasswordAuthentication no
3. Install, configure and enable fail2ban
apt-get install fail2ban
vim /etc/fail2ban/jail.conf

Now change bantime and findtime to 86400, scroll down to [ssh] part and change port = 22 to <ssh-port>.

Now enable fail2ban so it start on boot:

 update-rc.d fail2ban enable

And then check to see the status of how many IPs you have caught and blocked:

 fail2ban-client status ssh
4. Install and configure nullmailer

Nullmailer is an awesome software, simple, elegant, secure, small and gets the job done. If you have a dedicated server for email, or want to use your service providers email server, or even Gmail to send out mails then nullmailer is what you want.

apt-get install nullmailer

Make sure you use secure ways of connecting to you smtp server, for example if you use Gmail then your /etc/nullmailer/remotes should look like this:

smtp.gmail.com smtp --port=587 --auth-login --user=you@gmail.com --pass=Yourpassword --starttls
5. Block all ports

Use these simple iptables settings to close all ports, except your <ssh-port>, of course.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport <ssh-port> -j ACCEPT
iptables -P INPUT DROP

Now save your rules:

iptables-save > /etc/iptables

And edit /etc/rc.local so your iptables firewall rules are loaded on boot, add this line before exit 0:

iptables-restore < /etc/iptables
Bonus: 6. Change locale

If you use German VPS providers like me then you won't be surprised that defualt locale is set to LANG=de_DE.UTF-8. Interestingly enough Ubuntu documentation for changing default locale is lacking crucial information. First install locale you need:

apt-get install language-pack-en

To check installed locales on your system list them with:

locale -a

On Debian build and configure locales with this command:

dpkg-reconfigure locales

For Ubuntu change default locale by editing these two files:

vim /etc/default/locale

I changed from LANG=de_DE.UTF-8 to LANG="en_US" and also

vim /etc/profile


export LANG="de_DE.utf8"
export LANGUAGE="de_DE.utf8"
export LC_ALL="de_DE.utf8"


export LANG="en_US.utf8"
export LANGUAGE="en_US.utf8"
export LC_ALL="en_US.utf8"