Ubuntu server after minimalistic installation will not have ssh. While installing ssh, you should be aware you are allowing remote logins to your server. This could potentially by a risk if someone manages to brute-force your password. In this case there are a few things we can do to properly protect ourselves. Firstly, use complicated passwords – this I cannot help you with. Think of something. Other things, that we include in this manual are: sshd.conf – disable root logins, sshdfilter – anti-bruteforcing system, iptables – firewall.
Why have I chosen sshdfilter? It has a wrapper mode as opposed to other filters, which only contain a standalone log tailing mode. Wrapper mode in terms of ssh if very important – mainly because attacks usually take seconds. And it usually takes seconds before your log file is written to. It is not too useful as you can imagine. It also requires logging from iptables, which puts extra load on IO. Sshdfilter listens on port 22 as ‘wrapper’ and forwards all connections to ssh after filtering. It basically means, sshdfilter is able to block bruteforcing attempts without HDD logging (reduced IO) and without delay. Now I’m sure there are a lot more filters that can act as wrappers on port 22. I have chosen sshdfilter for it’s simplicity and flexibility, exactly as I need them. Right, now that we got that clear, lets get back to business:
Login to your new Ubuntu installation and install the packages we will need.
Go to root – we will be doing most stuff as root
sudo su -
Upgrade ubuntu with latest patches and install required packages
aptitude update && aptitude upgrade aptitude install openssh-server openssh-client wget vim lynx
Configure the firewall to only allow remote logins (SSH) from all source IPs. Save the configuration to a script so that it will restore on reboot. We need to finish this step for sshdfilter rules to work (next step)
iptables -N SSHD iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD iptables -A INPUT -m state --state established,related -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -j DROP # if you want to add an exception to sshd blocking rules (e.g. to your local network) # you would then execute this command line (assuming 192.168.0.0/16 is your local network) iptables -I INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 22 -j ACCEPT # in case you added a rule you wish to remove, execute it with -D instead. Example: iptables -D INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 22 -j ACCEPT
Now, let’s make the rules permanent
iptables-save > /etc/iptables-rules vi /etc/init.d/networking
Find text similar to this one:
start)
process_options
log_action_begin_msg "Configuring network interfaces"
if ifup -a; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
;;
And add the below line somewhere between fi and ;;
/sbin/iptables-restore < /etc/iptables-rules
Download and install sshdfilter - against ssh brute-forcing
mkdir /root/src cd /root/src wget http://www.glonek.co.uk/sshdfilter-1.5.5.tar.gz tar -zxvf sshdfilter-1.5.5.tar.gz cd sshdfilter-1.5.5 vi install_aswrapper.pl
Now let's patch the install script so it will work on Ubuntu. Find the below lines:
} else {
printf "System type does not appear to be Fedora, RedHat pre Fedora, Debian, \n";
printf "CentOS, SUSE, RH Enterprise, Gentoo or Slackware. So, you will have to install manually \n";
printf "(see INSTALL) and send me some hints on how to identify your system.\n";
exit 1;
And replace with this:
} else {
printf "System type: Debian system\n";
$pattype="deb31";
$inittype="$pattype";
$confpath="/etc/";
$exepath="/usr/local/sbin/";
$initname="ssh";
$logconf="/etc/log.d/conf/services/";
$logserv="/usr/share/logwatch/scripts/services/";
Now, let's install sshd filter:
./install_aswrapper.pl # you will get some errors there about Hunk failing. Let's fix that cp /etc/init.d/ssh /etc/init.d/ssh-original sed 's/--exec \/usr\/sbin\/sshd/--exec \/usr\/local\/sbin\/sshdfilter/g' /etc/init.d/ssh-original > /etc/init.d/ssh # now edit sshdfilter config file to your liking. It's well commented and doesn't really need much tweaking vi /etc/sshdfilterrc # you will want to wteak the main rules (5,3d = DEFAULT etc) to remove the examples # you will also want to look at SECTION IPPOLICY for ip based filtering to remove examples # restart ssh and we are ready /etc/init.d/ssh restart
[...] Install ssh, configure sshdfilter and iptables firewall Tagged as: apache, apache2, bind dns, bind9, clamav, courier, dspam, linux, maildrop, monit, monitoring, munin, MySQL, perfect, php, postfix, proftpd, sasl, server, setup, squirrelmail, tls, ubuntu, virtual Leave a comment Comments (0) Trackbacks (0) ( subscribe to comments on this post ) [...]
[...] Install ssh, configure sshdfilter and iptables firewall Tagged as: apache, apache2, bind dns, bind9, clamav, courier, dspam, linux, maildrop, monit, monitoring, munin, MySQL, perfect, php, postfix, proftpd, sasl, server, setup, squirrelmail, tls, ubuntu, virtual Leave a comment Comments (0) Trackbacks (0) ( subscribe to comments on this post ) [...]
I did like the article really much, was really informative and the best part was that only the required part was elaborated, to the point concise information always helps and keeps readers running around digging for the information’s will never require a reread. I really wish spammers read these articles and check how easy it is to be human and respect knowledge.