Ubuntu 12.04 system server security configuration

This article translated linux security technology for ubuntu 12.04.2 LTS. You can also do the same on any other Linux distribution version.

If the server already has a public IP address, you want to immediately lock the root access. In fact, you have to lock the entire ssh access and ensure that only you can access it. Add a new user to the admin group (pre-configured in/etc/sudoers to have sudo access permissions ).

The code is as follows:

Copy code

$ Sudo addgroup admin Adding group 'admin' (GID 1001) Done.   $ Sudo adduser login Serj Adding user 'Your serj '... Adding new group 'prop serj' (1002 )... Adding new user 'sale serj' (1001) with group 'sale serj '... Creating home directory '/home/custom serj '... Copying files from '/etc/skel '... Enter new UNIX password: Retype new UNIX password: Passwd: password updated successfully Changing the user information for your Serj Enter the new value, or press ENTER for the default Full Name []: Spenser Jones Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y   $ Sudo usermod-a-G admin login Serj

You will also want to create a private key on your computer and disable annoying password verification on the server.

The code is as follows:	Copy code
$ Mkdir ~ /. Ssh $ Echo "ssh-rsa [your public key]"> ~ /. Ssh/authorized_keys /Etc/ssh/sshd_config PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication no AllowUsers extends Serj

Reload SSH, use the modification to take effect, and then try to log in to a new session to ensure that everything works normally. If you cannot log on, you will still have your original session for modification.

The code is as follows:	Copy code
$ Sudo service ssh restart Ssh stop/waiting Ssh start/running, process 1599

Update Server
Since you are the only user accessing the server, you don't have to worry about hacking and breathing again. When there are some updates for your server, it is a chance to fix them.

The code is as follows:	Copy code
Sudo apt-get update Sudo apt-get upgrade

Install firewall
How to install the most popular firewall software? Okay, let's take action. Configure a firewall. After that, you can always add another exception, and a few minutes of extra work won't throw you. Iptables is pre-installed in Ubuntu, so set some rules.

The code is as follows:

Copy code

$ Sudo mkdir/etc/iptables /Etc/iptables/rules * Filter : Input drop [0: 0] : Forward drop [0: 0] : Output drop [0: 0]   # Accept any related or established connections -I INPUT 1-m state -- state RELATED, ESTABLISHED-j ACCEPT -I OUTPUT 1-m state -- state RELATED, ESTABLISHED-j ACCEPT   # Allow all traffic on the loopback interface -A input-I lo-j ACCEPT -A output-o lo-j ACCEPT   # Allow outbound DHCP request-Some hosts (Linode) automatically assign the primary IP #-A output-p udp -- dport 67: 68 -- sport 67: 68-j ACCEPT   # Outbound DNS lookups -A output-o eth0-p udp-m udp -- dport 53-j ACCEPT   # Outbound PING requests -A output-p icmp-j ACCEPT   # Outbound Network Time Protocol (NTP) request -A output-p udp -- dport 123 -- sport 123-j ACCEPT   # SSH -A input-I eth0-p tcp-m tcp -- dport 22-m state -- state NEW-j ACCEPT   # Outbound HTTP -A output-o eth0-p tcp-m tcp -- dport 80-m state -- state NEW-j ACCEPT -A output-o eth0-p tcp-m tcp -- dport 443-m state -- state NEW-j ACCEPT   COMMIT

The iptables-apply command takes effect for the rule set. If you lose the connection, fix your rules, and try again before continuing.

The code is as follows:	Copy code
$ Sudo iptables-apply/etc/iptables/rules

Create the file/etc/network/if-pre-up.d/iptables and write the following content. When you start the server, it will automatically load your iptables rules.

The code is as follows:	Copy code
/Etc/network/if-pre-up.d/iptables #! /Bin/sh Iptables-restore </etc/iptables/rules

Now grant it the execution permission to execute the file to ensure that it loads normally.

The code is as follows:	Copy code
$ Sudo chmod + x/etc/network/if-pre-up.d/iptables $ Sudo/etc/network/if-pre-up.d/iptables

Use Fail2ban to handle potential hackers
When talking about security, Fail2ban is one of my favorite tools that will monitor your log files and temporarily prohibit abuse of your resources, you can also force your SSH connection or dos attacks on your web server.

The code is as follows:	Copy code
Install Fail2ban Sudo apt-get install fail2ban

Although Fail2ban installs a default configuration (/etc/fail2ban/jail. conf), we want to write the configuration in/etc/fail2ban/jail. local, so copy it there.

The code is as follows:	Copy code
Sudo cp/etc/fail2ban/jail. {conf, local}

Configuration
Modify the ignoreip line to your ip address, and set the time to prohibit malicious users (10 minutes by default ). You will also want to set a destemail. Here I usually enter my own email address:

The code is as follows:

Copy code

/Etc/fail2ban/jail. local [DEFAULT]   # "Ignoreip" can be an IP address, a CIDR mask or a DNS host Ignoreip = 127.0.0.1/8 Banktime = 600 Maxretry = 3   # "Backend" specifies the backend used to get files modification. Available # Options are "gamin", "polling" and "auto ". # Yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now Backend = auto   # # Destination email address used solely for the interpolations in # Jail. {conf, local} configuration files. Destemail = root @ localhost

There are some other configurations you want to check, although the default configuration is already quite good, so you can quickly browse these until you read the Actions chapter.

Actions
Actions allows you to respond to malicious behaviors. However, when we want to disable and send emails, iptables is disabled by default. It is worth noting that there is a pre-configuration file action_wml which exactly does this.

The code is as follows:	Copy code
/Etc/fail2ban/jail. local

Jails monitoring
To make Fail2ban work, you need to know what to monitor. These configuration files that are already in the Jails section, and there are some pre-loaded but not enabled examples. So far, if you only enable SSH access on the server, we can only enable SSH and SSH-DDos monitoring, however, you still want to add new monitoring for public access services installed on this server.

The code is as follows:	Copy code
/Etc/fail2ban/jail. local [Ssh] Enabled = true Port = ssh Filter = sshd Logpath =/var/log/auth. log Maxretry = 6 [Ssh-ddos] Enabled = true Port = ssh Filter = sshd-ddos Logpath =/var/log/auth. log Maxretry = 6

Make changes take effect

Now that Fail2ban has been configured, you will want to reload it and make sure that appropriate rules are added to iptables.

The code is as follows:

Copy code

$ Sudo service fail2ban restart * Restarting authentication failure monitor fail2ban ... Done.   $ Sudo iptables-L Chain INPUT (policy DROP) Target prot opt source destination Fail2ban-ssh-ddos tcp -- anywhere multiport dports ssh Fail2ban-ssh tcp -- anywhere multiport dports ssh ... Chain fail2ban-ssh (1 references) Target prot opt source destination RETURN all -- anywhere   Chain fail2ban-ssh-ddos (1 references) Target prot opt source destination RETURN all -- anywhere

At any time, you can use sudo iptables-L to list your rules and then list all IP addresses currently prohibited. Fail2ban is processing two malicious users.

The code is as follows:	Copy code
Banned IPs DROP all -- 204.50.33.22 anywhere DROP all -- 195.128.126.114 anywhere

Keep updated
You may now have a locked server ready for use, but this is not the end of your security journey. Keep up to date (and always test in a non-product environment), always close unnecessary ports, regularly check your logs, and learn about your servers from the inside out.

Then I will introduce the new lamp configuration.

In the installed website software environment, Apache2 web page service software, MySQL5 website background database software, and PHP5-based interpretation language software will be used. The configured system can also provide FTP services.

1. Install LAMP

1. sudo apt-get install apache2 mysql-server mysql-client php5 php5-gd php5-mysql
Most LAMP operations are related to the/var/www Directory. For convenience, modify the directory permission to be accessible by common users.

1. sudo chmod 777/var/www/
2. phpmyadmin installation

1. sudo apt-get install phpmyadmin
During the installation process, you must select Web server: apache2 or lighttpd, select apache2, press the tab key, and click OK. Then, you are required to enter the Mysql database Password of the database's administrative user.

Then, establish a connection between phpmyadmin and apache2. Take my example: the www directory is in the/var/www directory, and The phpmyadmin directory is in the/usr/share/phpmyadmin Directory. Therefore, run the following command: connect sudo ln-s/usr/share/phpmyadmin/var/www.

Phpmyadmin test: open http: // localhost/phpmyadmin in the address bar of the browser.

3. Apache configuration

(1) enable mod_rewrite module

Terminal Command: sudo a2enmod rewrite

(2) restart the Apache Server: sudo/etc/init. d/apache2 restart

After Apache is restarted, you can test it and create a file test under the/var/www directory. php, write code: save, enter http: // 127.0.0.1/test in the address bar. php or http: // localhost/test. php. If Mysql is correctly configured, both Apache and mysql are normal. (Remember to restart the Apache server before testing ).

Test. php

The code is as follows:	Copy code
1. <? Php 2. $ link = mysql_connect ("localhost", "root", "mysql password "); 3. 4. if (! $ Link) 5. 6 .{ 7. 8. die ('could not connect: '. mysql_error ()); 9. 10 .} 11. 12. else echo "Mysql has been correctly configured "; 13. 14. mysql_close ($ link ); 15. 16.?>

4. PHP Chinese garbled characters in the browser

If Chinese characters are garbled during the test. php test in the FireFox browser, the default language settings are incorrect. The solution is as follows:

Open the apache configuration file: udo gedit/etc/apache2/apache2.conf, add: AddDefaultCharset UTF-8 at the end, if still garbled, then switch the UTF-8 to gb2312.

Restart Apache: sudo/etc/init. d/apache2 restart and refresh test. php.