Quickly Setting Up and Securing an Ubuntu Server

I’m setting up an old desktop as a server at school. I was going to post details about it later, but after seeing this article claiming that there are hundreds of thousands of unsecured databases out there, I thought I’d go ahead and post some of the basics on installing and securing a server running Ubuntu Linux. UPDATE: These notes were created when Ubuntu 7.10 “Gutsy” was out, but I’ve tweaked them for changes in 8.10 Intrepid. They should hopefully work with 9.04 Jaunty too.

I’m assuming Ubuntu is already installed. In my case, the desktop version (not the server version which already has most of this pre-installed). I want to quickly convert it to a server to use for some research.

Step 0: Do You Need It? – There are cheap and much more reliable ways to run your own server applications. Providers such as Linode or Bytemark offer you “virtual root” linux servers for as little as under $20 a month using Linux virtual machines such as User-Mode Linux (UML), Xen, and VMWare. I’ve used them before for years.

I’m running a server on my own machine instead for this project because it is a small project, it is free this way, and because I think the .edu domain name makes a difference (the URL is part of any website’s interface).

Most of the information below applies anyway if you are using a virtual root hosting service, since you’ll have to install and set up much of your server software in the same manner.

Step 1: Get Connected – Make sure you have a stable IP address and a domain name that can be used to connect to your machine. You’ll have to work with your network administrator to do this, or purchase your own domain name at places like NetworkSolutions.com [UPDATE: don't use networksolutions, anytime you search for a domain, they automatically register it themselves so they can charge more], Register.com, or GoDaddy.com, or else use a free service like DynDNS.com.

If want to find out what is your IP address and hostname, you can use commands like “ifconfig” and “nslookup” or visit sites like whatismyip.com and samspade.com.

Once you are assigned an IP address and domain name, set the domain name for your machine by editing the /etc/hostname file:

sudo nano /etc/hostname

And put your hostname there all alone on one line:

my.domain.name.edu

Type control-X to quit and save the file.

You can also add information about your IP address and hostname to the /etc/hosts file. Say for example your IP is 123.123.123.123, add a line like this to the file (using “sudo nano /etc/hosts”):

123.123.123.123 your.domain.name.edu

Step 2: Use a Strong Password – Something very long that uses lower case, upper case letters, numbers, and symbols. This is very important.

You can do it graphically by going to System->Administration->Users and Groups, or on the command line (using Terminal), by simply running:

passwd

Optional: You can also set passwords for your bios and for the grub bootloader. In your BIOS also, you can set the boot order of devices so that the hard drive is first, so that people can’t pop in a CD and override your system.

Step 3: Install SSH Server – This is so you can login to your computer remotely through an encrypted connection. If you are using the Terminal command line shell application, you can install like so:

apt-get install ssh openssh-server

Otherwise, you can use the graphical Synaptic package manager to search for “ssh” and install the same packages.

Optional: Edit the /etc/ssh/sshd_config file to change the default port ssh uses for connections from 22 to some other value. Change the line that reads “Port 22″. Our ssh servers on campus are attacked all the time. Changing the port to something non-default alleviates it somewhat (but you still need to run a firewall and keep system up to date and backed up, too).

sudo nano /etc/ssh/sshd_config

Restart ssh

sudo invoke-rc.d ssh restart

Test it out by connecting to your server from another computer, using an ssh client (like “ssh” on the command line, or Putty on windows, etc.). Say you made the port 987 and your username is “bob”, then the command to connect is:

ssh bob@my.domain.name.edu -p 987

Step 4: Install LAMP software – the Apache 2 webserver, PHP 5, & MySQL 5. To do this quickly, we can use either tasksel (on the command line), or Synaptic. In Synaptic, selected Edit->Mark Packages by Task… and check the LAMP server option and install.

Or else on the command line, run

sudo tasksel

and select the LAMP server option. If tasksel is not installed run “sudo apt-get install tasksel”.

Apache, MySQL, and PHP will now be installed. It should ask you for a root password to use with MySQL. Again, pick a strong password. MySQL should be already configured also to not accept any connections except from the local machine.

The main Apache configuration files are located at:

/etc/apache2/apache2.conf

/etc/apache2/sites-enabled/000-default

in case you want to make any changes.

The root folder for your webserver HTML documents is:

/var/www

Edit the index.html file, for example, to change the homepage.

Check out your webserver at http://your.domain.name.edu/

Step 5: Setup a Firewall – This is very important, too. You can block all outside access to your machine except via the ports you want to keep open. The webserver uses port 80, and ssh uses whatever port you set in /etc/ssh/sshd_config (22 by default).

There are 2 options to consider for your firewall in Ubuntu. If you are still using the machine as a desktop machine, too, you might consider installing FireStarter, a graphical firewall manager. I use that on my laptop. On the server though, I am using Shorewall, since it can be configured from the command line (perhaps Firestarter can as well, but I don’t know).

To install Shorewall, type this on the command line:

sudo apt-get install shorewall

Then type these commands:

##old: cd /usr/share/doc/shorewall/default-config
cd /usr/share/doc/shorewall-common/default-config

sudo cp interfaces /etc/shorewall/
sudo cp policy /etc/shorewall/
sudo cp rules /etc/shorewall/
sudo cp zones /etc/shorewall/

Using your text editor command (such as sudo nano or sudo gedit), you need to edit those 4 files. Add this line before the last line of /etc/shorewall/interfaces:

net eth0 detect

Add this line before the last line of /etc/shorewall/zones:

net ipv4

You should also have a line that says “fw firewall” in the zones file.
Put these lines before the last line of /etc/shorewall/policy:

fw net ACCEPT
net all DROP info
all all REJECT info

And add these lines to your /etc/shorewall/rules file after the SECTION NEW line:

#change "22" to the port you used for ssh if not the default one:
ACCEPT net fw tcp 22
ACCEPT net fw tcp www,https

Change 22 to the port you used for ssh. Remove “,https” if you have no intention of ever installing the ssl module for the apache webserver (for secure web transactions).

Finally, edit /etc/default/shorewall file by changing the line that reads startup=0 to:

startup=1

You can startup the firewall with the command:

sudo invoke-rc.d shorewall start

Other options you can pass to invoke-rc.d in general include start, stop, and restart.

(Update) Step 5b: Install fail2ban – fail2ban will block attackers who try to brute force your ssh or apache or other services.

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and edit the jail.local file.

See more instructions here and here.

I set “enabled=true” for the ssh, apache, postfix jails. I also added the apache-badbots jail:

[apache-badbots]
enabled = true
port    = http,https
filter  = apache-badbots
logpath = /var/log/apache*/*access.log
maxretry = 2

I would also add that if you want ban reports emailed to you, change “destemail” to your email and set “action = %(action_mwl)s”.
You will also probably have to “sudo apt-get install mailx” for email sending to work. “cat /var/log/fail2ban.log” to see errors or log messages.

Step 6: Keep Your System Up to Date – Run the commands

sudo apt-get update
sudo apt-get upgrade

to keep all your installed software up to date. This is important for example if a security flaw is revealed in apache or ssh, for example (or webmin, which had a huge hole in it until recently). Updating your machine will install new versions that fix the security flaws. You can run the above commands automatically every day even using crontab if you wish, and/or install the unattended-upgrades package:

sudo apt-get unattended-upgrades

There are various crontab tutorials around the web.

Step 7: Monitor Your Site – There are various tools you can install and use to monitor your site, such as webalizer (apache statistics), webmin (a web-based control panel for your server), and others. crontab plus shell scripts (in bash, python, perl, etc.) can be used to email you whenever a server application goes down, or restart the application automatically. There are other watchdog tools out there for this kind of thing as well.

Step 8: Backup Your Machine – You’ll want to keep regular backups of the files on your server. You can backup the files to a remote computer, for example, or a second hard drive. You can setup a RAID configuration so that multiple drives store your information redundantly.

For a simple copy and compress backup to another drive (something like I use on the laptop), you can run a command like this:

sudo tar cpzf /media/path/to/backup/folder/my-backup.tar.gz –exclude=/proc/* –exclude=/lost+found/* –exclude=/dev/* –exclude=/mnt/* –exclude=/media/* –exclude=/sys/* –exclude=/tmp/* –exclude=/var/cache/apt/* /

For a server though, it is better to use something like rsync, which can be configured to only backup what has changed since the last time you backed up (incremental backups). See for example:

Remember to learn how to recover the files from your backup as well.

More Resources

For more resources, see sites such as these:

About these ads
Posted in opensource, technology
5 comments on “Quickly Setting Up and Securing an Ubuntu Server
  1. Anonymous says:

    I just want to say, THANK YOU SO MUCH for posting this tutorial! I am also setting up an ubuntu server at my school and didn’t want to rely on the X-GUI any longer. Thanks again,Rob

  2. Doug Holton says:

    Here also are instructions for fixing your server’s ssh keys, which were vulnerable to an attack apparently until a recent fix was released:http://ubuntu-tutorials.com/2008/05/13/openssh-openssh-vulnerabilities-confirm-fix-instructions/

  3. Doug Holton says:

    Also, in shorewall, the rules file, you might unblock port 25 too for email (the smtp server).ACCEPT net fw tcp 25ACCEPT net fw udp 25

  4. Joakim Berglund says:

    Ah, I thought setting up shorewall was complicated – you made it not! Thanks!

  5. Doug Holton says:

    I recommend using fail2ban also to block bots or whatever after they repeatedly try to login to ssh or other things.sudo apt-get install fail2banThensudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localand edit the jail.local fileSee:http://www.pragmaticutopia.com/blog-mainmenu-125/Fail2ban-on-Ubuntu-LAMP.htmlhttp://www.howtoforge.com/fail2ban_debian_etchhttp://edin.no-ip.com/content/filter-spam-or-bad-robot-visit-your-apache-with-fail2banYou can actually change the banaction line in jail.local from iptables-multiport to ‘shorewall’ but I can’t find much documentation on that. I left it as the default for now. iptables is already installed by default (shorewall is an iptables wrapper).

Comments are closed.

Doug Holton

Doug Holton

developing educational technology

Archives

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3,527 other followers

Follow

Get every new post delivered to your Inbox.

Join 3,527 other followers

%d bloggers like this: