Basic Cloud Server Security
This article provides a script to make web servers more secure. Run the following script for Ubuntu cloud servers to provide more security than the default configuration. While this script helps protect your server, it can’t prevent an attack. Ensure that you are writing secure application code.
Note: To run the following script, log in as root using a key pair. Otherwise, you might be locked out of your virtual machine (VM). For information on how to generate public and private key pairs, see Manage SSH Keypairs for Cloud Servers with-python-novaclient.
#!/bin/bash set -o errexit # Disclaimer: This is not the most secure configuration possible. This script # is intended only to be more secure than the default configuration. No # promises are made about this script preventing your server from getting # owned or your bike getting stolen. The bad guys are still out to get you. # And running this script does not excuse you from writing secure application # code! # # This script assumes you're running it initially as root and logged in using # a key pair. If you didn't, you'll be locked out of your VM. if [ -z "$1" ]; then echo "Usage: $0 NON_ROOT_USER" echo "Example: $0 foo" exit 1 fi NON_ROOT_USER=$1 # Upgrade apt-get update apt-get -y upgrade # Disable password login sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config service ssh restart # Block all ports except ssh and http/s ufw default deny ufw allow ssh ufw allow http ufw allow https ufw --force enable # Defend against brute force login attempts apt-get -y install fail2ban # Set unattended security upgrades apt-get -y install unattended-upgrades echo 'APT::Periodic::Update-Package-Lists "1";' >> /etc/apt/apt.conf.d/20auto-upgrades echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades # Create a non-root user adduser --shell /bin/bash --gecos "User" --home /home/$NON_ROOT_USER $NON_ROOT_USER adduser $NON_ROOT_USER sudo # Copy the public key to the non-root user mkdir /home/$NON_ROOT_USER/.ssh cp .ssh/authorized_keys /home/$NON_ROOT_USER/.ssh/ chown -R $NON_ROOT_USER:$NON_ROOT_USER /home/$NON_ROOT_USER/.ssh chmod 0700 /home/$NON_ROOT_USER/.ssh chmod 0600 /home/$NON_ROOT_USER/.ssh/authorized_keys echo "Bye bye. Please logout and login again as the non-root user."
The script performs the following activities:
1) Disables root ssh access.
2) Sets up a new user with the same authorized key used for the root login (it assumes this is setup).
3) Installs a package to help prevent brute force login attempts.
4) Enables automatic updates.
5) Blocks all ports except for HTTP, HTTPS and SSH.
If SSH, sudo, or iptables are configured incorrectly, you might be locked out of your system. If this occurs, log in to the Rackspace Cloud Control Panel and use the Web Console or Rescue Mode to repair the configurations.
©2018 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License