Defending against Internet attacks for your Ubuntu Server (14.04 LTS)

The Ubuntu Server Edition LTS is a highly reliable server system and comes with reasonable security defaults. Still there are additional steps to take if we want to enhance its security.

Note

These steps will only help make your server more secure but they will not make it bulletproof! Security is an evergoing process and you should always be alert for new security issues.

Prerequisites

  1. Install a fresh Ubuntu Server 14.04 (Preferable 64 bit).

  2. Use the following command to install SSH, if not already installed:
    $ sudo apt-get -y install openssh-server
    
  3. Make sure you have a sudo enabled user:
    $ id | grep sudo
    uid=1000(theoadm) gid=1000(theoadm) groups=1000(theoadm),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),117(sambashare),1006(gitusers)
    

    If the above is not true, you will have to login as root with su - and execute all the commands as the root user.

Secure SSH

  1. Block remote logins as root. Set the value of the PermitRootLogin keyword, in /etc/ssh/sshd_config, to without-password or no. This will disable password based authentication for the user root and only allow Public Key Authentication.

    • First check what is the value of the PermitRootLogin keyword:
      $  grep PermitRootLogin /etc/ssh/sshd_config
      PermitRootLogin without-password
      
    • If the value is yes, it is considered a very bad practice, especially on a public server. Use your favorite editor or the following command to change it:
      $ sudo sed -i 's/^\(PermitRootLogin\s\)[yY][eE][sS]/\1without-password/' /etc/ssh/sshd_config
      
    • Don't forget to restart SSH:
      $ sudo service ssh restart
      
  2. Change the SSH listening port from 22 to something else. This is not the ultimate security measure but, since most ssh attack bots target the default port, it will largely minimize the attacks.

    • First select a port not used by a well known service. Let's assume that we decided to use port 4547:
      $  grep 4547 /etc/services ; echo $?
      1
      

      A return value of 1 indicates that no well known service is using that port.

    • Then change the value of the Port keyword to 4547. Use your favorite editor or the following sed command to do so:
      $  sudo sed -i 's/^\(Port\s\)22/\14547/' /etc/ssh/sshd_config
      
    • Restart your SSH server:
      $ sudo service ssh restart
      
    • Verify that the port has been changed:
      $ sudo netstat -lnpt | grep ssh
      tcp     0    0 0.0.0.0:4547   0.0.0.0:*   LISTEN   11979/sshd      
      tcp6    0    0 :::4547        :::*        LISTEN   11979/sshd      
      

Enable Filtering

  1. Enable the firewall functionality. We will be using the pre-installed Uncomplicated Firewall (ufw) which is just a front-end to the, more complicated, iptables.

    • First allow port 4547. Make sure you type the correct port or you will be locked out of your server!. Use the following command to allow traffic to our chosen port:
      $ sudo ufw allow 4547/tcp
      
    • Then enable the firewall:
      $ sudo ufw enable
      
    • Verify that is working:
      $ sudo ufw status
      Status: active
      To Action From -- ------ ---- 4547/tcp ALLOW Anywhere 4547/tcp (v6) ALLOW Anywhere (v6)
  2. Setup the Fail2ban intrusion prevention software. Fail2ban is an excellent tool to block attacks against SSH and many other services.

    • Install fail2ban:
      $ sudo apt-get -y install fail2ban
      
    • SSH protection is enabled by default but we need to reconfigure the ssh port to 4547. In the file /etc/fail2ban/jail.conf change the port = ssh value to 4547:
      [ssh]
      enabled = true port = 4547 filter = sshd logpath = /var/log/auth.log maxretry = 6
    • Enable protections against distributed attacks. Edit the [ssh-ddos] section in /etc/fail2ban/jail.conf:
      [ssh-ddos]
      enabled = yes port = 4547 filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6

Unattended upgrades

Enabling unattended upgrades may not be a very good idea on mission critical servers. On such scenarios you may want to test the upgrades on a test server before you apply them on the production. Nevertheless it may be a good practice to enable this functionality on machines that are expected to run unattended for long periods of time. This will help to automatically patch vulnerabilities of your machine. Note, however, that patches do not automatically apply on the Linux kernel or the glibc library, because a restart is needed in these cases. So even on mostly unattended scenarios, you still need to check occasionally whether your machine needs a restart.

  1. Make sure that the unattended-upgrades package is installed. It is usually pre-installed but if not, you can use the following command to install it:
    $ sudo apt-get -y install unattended-upgrades
    
  2. Then we must configure automatic upgrades. Answer Yes when asked in the following command:
    $ sudo dpkg-reconfigure updates unattended-upgrades
    
    • Alternatively you can edit the /etc/apt/apt.conf.d/20auto-upgrades configuration file as follows:
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Unattended-Upgrade "1";
      

Further Reading

As we said earlier, security is an ongoing process. Some further info to make your site more secure:

How to set up your own LAMP server on Ubuntu 14.04 (aka Trusty Tahr)

You sail with no lights in the midnight dark.
Afraid of betrayal by lights from the land,
alone and thoughtful, you walk the deck,
clutching Aladdin’s lamp in your hand.
~ Nikos Kavvadias ~

In this guide we are setting up an Ubuntu/Linux based webserver with a database backend and using the PHP scripting language. The term LAMP is not related to lighting, nor Middle Eastern tales but refers to the combination of Linux, Apache, MySQL MariaDB and PHP.

Traditionally we have been using MySQL for this task but since Ubuntu 14.04, MariaDB is available from the stock Ubuntu repos. It is recommended to  use MariaDB over the beloved MySQL, because the future of the latter is not so promising after the purchase from Oracle.

We will also be using VirtualBox to install Ubuntu Server on a virtual machine but you can follow this guide on an actual computer or on your cloud/hosting provider.

To complete this guide you will need to download a copy of the latest Ubuntu Server ISO image (current version 14.04.2)

Setting up the Virtual Machine

  1. Install VirtualBox: Make sure you have VirtualBox installed. If not, you can download it from your package manager or from command line (works for Ubuntu and Debian based systems):
    $ sudo apt-get -y install virtualbox
    If you are using a Windows PC you will need to go to the VirtualBox website and download it.
  2. Start VirtualBox:VBox-1 Click on the New icon to create a new virtual machine.
  3. Setup the VM name: VBox-2 Type Ubuntu-server in the Name and click 'Next'.
  4. Setup the memory size. VBox-3 The default 512 MB is enough but you may use 1024 if you have memory to spare.
  5. Setup the Virtual Hard Drive:
    • Create the Virtual Hard Drive: VBox-4
    • Select the format of the Hard Drive: VBox-5 VDI is the default for VirtualBox.
    • Select the type of the Hard Drive: VBox-6 Fixed size is supposedly better for performance but it will occupy space equal to its size on your disk. For testing purposes choose Dynamically allocated.
    • Select the size of your disk: VBox-7 If you have chosen Dynamically allocated before, then your Hard Drive can be as large as 2,00 TB without actually occupying that much space on the physical  disk. 40,00 GB is more than enough.
  6. Setup Networking: The default network mode for newly created VirtualBox machines is NAT.  This mode is not very convinient if you want to access your VM from the physical host so we are changing that to Bridged Adapter.

    Warning: in some enterprise environments this could trigger the security defences of your network and lock you out! Please consult with you network administrator before enabling this at work!


    You can find more information about the VirtualBox networking modes here: VirtualBox Networking Modes
    • To setup Bridged Networking press the Settings icon:VBox-Net-1
    • The default mode in the Attached to: field is NAT: VBox-Net-2
    • Change NAT to Bridged Adapter: VBox-Net-3 If you have more than one ethernet interfaces you will need to choose the correct one in the Name field. Usually the correct value is eth0 but this is not always the case. Press OK and you are done with networking.
  7. Start your VM:
    • Press the Start icon: VBox-8
    • Boot the Ubuntu ISO: VBox-9 Click on the little folder icon on the right side.
    • Select the Ubuntu ISO file you downloaded earlier: VBox-10
    • Press Start to begin the installation: VBox-11

The above procedure is for those that do not have a spare computer for testing. Building a VM is the safest way to experiment with all kind of setups without breaking your working computer.

Now if you do have a spare computer you can skip the steps above and go straight to the steps below. On a physical computer you will need to burn the ISO file on a CD/DVD or write it on a USB stick, using the usb-creator on Ubuntu or UNetbootin  for other systems. You will need to setup your BIOS/UEFI to boot from the CD or USB first. On Windows 8 systems you may need to disable the abomination called Secure Boot.

Setting up Ubuntu Server 14.04 (Trusty Tahr)

Now prepare your pain-killers as this will take some time.

  1. Select the Language for the setup process: Ubuntu-Server-1 This is language during the installation. Choose English or whatever language you feel comfortable with. If you haven't figured it out already, the mouse will not work here. Use the arrow keys to select the language and press 'Enter' to go to the next step. In case Virtualbox captures your mouse you can press the right Ctrl button to release it.
  2. Start the installation: Ubuntu-Server-2 Select Install Ubuntu Server and press 'Enter'.
  3. Select the system Language: Ubuntu-Server-3 Again select whatever language you need. This is the language for the system, after the installation is finished.
  4. Select your location: Ubuntu-Server-4 If your location is not listed here choose Other and press 'Enter'.
  5. Select your location now: Ubuntu-Server-5
  6. Select your country: Ubuntu-Server-6
  7. Select your Locale: Ubuntu-Server-7 If you selected English before you will get a list of English speaking countries to choose from.
  8. Detect keyboard layout: Ubuntu-Server-8 Select Yes if you are unsure of your keyboard layout. No is usually safe unless you have a weird keyboard.
  9. Choose the basic keyboard layout: Ubuntu-Server-9
  10. Select specific keyboard layout: Ubuntu-Server-10 Select the first if you are unsure.
    • Wait for the setup to load all necessary components for the installation. If you are not connected to a DHCP enabled network, you will be prompted to give your network settings. Ask your network administrator for assistance.
  11. Select the hostname of your server: Ubuntu-Server-11 Press 'Tab', select Continue and then 'Enter'.
  12. Enter your name: Ubuntu-Server-12 Nobody forces you to enter your actual name :).
  13. Enter your username: Ubuntu-Server-13
  14. Select your password: Ubuntu-Server-14 This is a privileged account (using the sudo command) so you better choose a hard to guess password.
  15. Verify your password again: Ubuntu-Server-15
  16. Encrypt your home directory: Ubuntu-Server-16 This will protect your personal files if you are paranoid. For testing it's OK to choose No.
  17. Confirm your timezone: Ubuntu-Server-17 If the time zone is correct select Yes otherwise No.
  18. Select the partitioning method: Ubuntu-Server-18The first option is simpler and probably OK for testing. But on a production server you may need to resize the partitions, create new ones and add more disks, so the LVM method is the recommended.
  19. Select the hard drive for the installation: Ubuntu-Server-19
  20. Confirm if you want to write to this hard drive: Ubuntu-Server-20 Select Yes and press 'Enter'. Make sure you don't have any data you need on this drive!
  21. Select Disk Size for the system: Ubuntu-Server-21 It's OK to give all available disk size on a test machine.
  22. Write changes to disk: Ubuntu-Server-22 Select Yes and press 'Enter'.
    • Wait for the Base system installation to complete
  23. Setup your proxy server: Ubuntu-Server-23 If you do not use a proxy server leave this field blank.
  24. Method to manage upgrades: Ubuntu-Server-24 This is a tricky dilemma. If you choose No automatic updates you may forgot to apply updates and render your system vulnerable to attacks. If you choose Install security features automatically your system could break after an update. Choose wisely!
  25. Choose additional software to install: Ubuntu-Server-25 It is a good idea to enable the OpenSSH server so you can access your machine remotely. There is also a LAMP option here but this will install the MySQL server  instead of MariaDB and you may wish to avoid that.
    • Wait for the additional software to be installed.
  26. Install the boot loader: Ubuntu-Server-26 Select Yes here.
  27. Restart your machine: Ubuntu-Server-27 Press Continue to restart the system.
  28. Welcome to your newly created Ubuntu server: Ubuntu-Server-28 Congratulations if you have reached so far! You have just installed a fresh Ubuntu server ready to rock!

Installing the LAMP stack

Installing a LAMP environment is easy.  We will need to install the Apache webserver, the MariaDB relational database, PHP and the Apache PHP module.

  1.  Before we proceed with the LAMP stack installation it is a good idea to update/upgrade our system.The command below will download the lists containing the most fresh version of available packages.
    $ sudo apt-get update
    
    The following command will download the packages to be upgraded, remove obsolete packages and download new ones:
    $ sudo apt-get -y dist-upgrade
    
  2. Installing necessary packages:
    $ sudo apt-get -y install apache2 libapache2-mod-php5 mariadb-server php5-mysql 
    
  3. Set the root password for MariaDB: MariaDB-1
  4. Verify root password: MariaDB-2
  5. Accept the warning: MariaDB-3

After the packages installation is finished we should be ready to go!

Testing your web server

Before testing we need to determine the IP address of the server. Run this command on the terminal of your webserver:

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host 
 valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
 link/ether 08:00:27:5a:6e:a9 brd ff:ff:ff:ff:ff:ff
 inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
 valid_lft forever preferred_lft forever
 inet6 fe80::a00:27ff:fe5a:6ea9/64 scope link 
 valid_lft forever preferred_lft forever

The IP of your server is 192.168.56.101

  1. Testing your ssh connection: First lets check if ssh works on your server. Type the following command from the terminal of your PC:
    me@PC:~$ ssh user@192.168.56.101
    The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
    ECDSA key fingerprint is e4:e7:ac:6c:68:ea:71:90:29:03:bc:92:8e:23:f7:0e.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
    user@192.168.56.101's password: 
    Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-35-generic x86_64)
    
     * Documentation: https://help.ubuntu.com/
    
     System information as of Mon Sep 15 11:36:04 EEST 2014
    
     System load: 0.09 Processes: 84
     Usage of /: 4.5% of 38.02GB Users logged in: 0
     Memory usage: 13% IP address for eth0: 192.168.56.101
     Swap usage: 0%
    
     Graph this data and manage this system at:
    
    https://landscape.canonical.com/
    
    Last login: Mon Sep 15 11:36:04 2014
    user@webserver:~$
    The first time you connect to any ssh system you get the warning that The authenticity of host '<myhost(myip)>' can't be established. This happens only the first time and it is a safe-guard against MITM attacks. Type yes (not y!) here. Then it will ask for your password. You will see nothing as you type it! That's normal. If you password is correct you will be greeted by the system information in the command prompt.
  2. Testing your Apache webserver: Fire up your browser and type this URL in the address bar: http://192.168.56.101 Test-Apache If you can see the above page in your browser, it means that your Apache webserver is up and running.
  3. Testing PHP: You need to create the following file under the Apache DocumentRoot (/var/www/html): Type the following commands on your server terminal:
    $ sudo -i
    [sudo] password for user:
    # cat > /var/www/html/phpinfo.php << EOF
    > <?php phpinfo(); ?>
    > EOF
    # exit
    $
    The command sudo -i will give you access as the super-privileged root user. Notice how the prompt changes frpm $ to #.

    The command cat ... will create a new file /var/www/html/phpinfo.php with the content <?php phpinfo(): ?>. This is a nice way to test your PHP setup and get some basic information about your LAMP setup.

    The command exit will take you back to your normal user account. It is not considered a good practice to be logged in as root for too long.

    Finally direct your browser to http://192.168.56.101/phpinfo.php and expect to see something like this: Test-php-1 If you scroll further down you will see that mysql is enabled too: Test-php-2 For security reasons it may be a good idea to delete the phpinfo.php file afterwards:
    $ sudo rm /var/www/html/phpinfo.php
  4. Install phpMyAdmin (optional):
    $ sudo apt-get -y install phpmyadmin
  5. Let the package management system handle phpMyAdmin configuration: phpMyAdmin-1
  6. Type the MariaDB root password: phpMyAdmin-2
  7. Set the phpMyAdmin database password: phpMyAdmin-3
  8. Verify the password: phpMyAdmin-4
  9. Choose the correct webserver (apache2): phpMyAdmin-5
  10. Visit the phpMyAdmin URL: (http://192.168.56.101/phpmyadmin): phpMyAdmin-6 Use the username root and the MariaDB root password to login.
  11. Now you can manage MariaDB through phpMyAdmin: phpMyAdmin-7

This was the final test that ensures everything works as expected. Now you can start developing your PHP website or install a PHP application like WordPress or ownCloud.

Welcome

Now that weblogs are not so popular, I decided to start my own personal blog. It's been some time I've been thinking about it but I've been postponing it with lame excuses.

This is a bilingual blog and you will find, in the next days, different guides regarding the administration of linux and free software systems, plus whatever else comes to my mind. It is based on WordPress and the multilingual tool, Polylang. In fact there will soon be a guide about how to build a multilingual website based on WordPress and Polylang.