DEV Community: rnppnr

Securing a linux server.

rnppnr — Mon, 28 Apr 2025 17:17:59 +0000

Not long after finishing setting up a new server you see from the logs that it is constantly being attacked. If you are not convinced of, or wish to see, how frequent these attacks are take a look at the auth.log file that is usually located in /var/log. There are several very simple steps that can make it almost impossible for the server to be compromised. Once you complete the following steps you will have:

Created a user account that has sudo privileges. This account will be then used to do any further server maintenance
Installed Fail2ban to limit malicious server attacks
Prevented the root user from logging in
Changed the port ssh listens on
Installed ufw a simple command line tool to manage iptables
Created a ssh key and set the server up to only allow logins with ssh keys

While securing the server leave the first terminal you connected to open.

Our first step is to create a user that will have sudo privileges. It is this user that will be used to login to the server to do any maintenance. Later the root user will be prevented from logging in. To do this we run the following command as the root user to create a new user and give them a password.

useradd -m -d /home/USERNAME -s /bin/bash USERNAME
passwd USERNAME
usermod -aG sudo USERNAME

You can now logout of the server and log in with the user you created in the previous step. To make sure all is working as it should you can now run an update and upgrade on the server to make sure the latest patches are applied. When you hit return for the first command you should get a
password prompt type in the password you used previously when setting up the account.

sudo apt-get update
sudo apt-get upgrade

As you’ll be using nano you can run the following command to check and install it.

sudo apt-get install nano

Fail2ban scans the logs files and bans any ip address that appears to be acting maliciously. The next step is to install fail2ban.

sudo apt-get install fail2ban

The default settings will protect the ssh port and ban what it considers malicious attackes for 10 minutes after 6 tries in the last 10 minutes. If you want to check that Fail2ban is doing it’s job leave the server for thirty minutes or so that should be enough time for an ip address to be
banned. If you are satisfied that fail2ban is working you can now disable the root user from logging into the server.

Run the following command.

sudo nano /etc/ssh/sshd_config

Change PermitRootLogin yes to PermitRootLogin no. Save the file then run the following command

sudo service ssh restart

Leave the current terminal open and open a new one. If you try logging in as root you should get an error and cannot log in. Checking the /var/log/auth.log file should show that the root user was refused a login.

You will now install Uncomplicated Firewall.. If you don't want ot add ufw you could follow this post and use IPTables This will only allow traffic on the ports you open. In your original terminal run the following commands.

sudo apt-get install ufw
sudo ufw –help

The help screen shows how to use the program. You now need to allow some ports before enabling the firewall or you will get locked out of the server.

You will now change the port that ssh is listening on.

sudo nano /etc/ssh/sshd_config

There will be a setting for the Port. If you have not changed this it should be 22. You can change this to something like 2222. Save the file and run the following command.

sudo service ssh restart

Again check you can log in using a new terminal.

DO NOT DO THIS UNTIL YOU KNOW WHAT PORT SSH IS LISTENING ON

sudo ufw allow 2222 (or whatever port you used in the sshd_config file)
sudo ufw allow http (port 80 by default)
sudo ufw allow https (port 443 by default)
sudo ufw enable

You will need to update the Fail2ban config file to match the port you are using for ssh.

sudo nano /etc/fail2ban/jail.conf

Change the ssh port to the port you put in the sshd_config file. Then run the following command.

sudo fail2ban-client reload

Following these steps has made your server more secure.

The next step will make it impossible for anyone to logon without a ssh key installed on the server. For this you will need to download PuTTY and create your ssh key. There is a tutorial for doing this here. Once you have your ssh key you can install it on your server to do this you need to create a .ssh directory in the home directory of the user you created at the start.

mkdir /home/USERNAME/.ssh

Upload the ssh key you created using PuTTY to this directory.

sudo nano /etc/ssh/sshd_config
PermitRootLogin no
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes

Make sure PasswordAuthentication is set to yes. This is so you can log in with a password while you are testing the setup of the ssh key. Once you have made these changes run the following command.

sudo service ssh restart

Now open a new terminal and login. If the password prompt appears then make sure you have Pageant running and your private keys loaded. Pageant will be in the same directory as PuTTY. Once you have logged in using
your ssh key you can edit the sshd_config file and set PasswordAuthenticaiton to no.

Using IPTables to Secure Your Server.

rnppnr — Mon, 28 Apr 2025 17:04:38 +0000

This rule set is designed for a Linux system that:

Allows SSH (port 22) as the primary remote access method.
Supports basic system functionality (loopback, established/related connections, ICMP).
Optionally allows common services (web, mail, file sharing, database) while blocking everything else by default.
Assumes a typical server use case but can be trimmed or expanded based on your needs.

You can remove or comment out rules for services you don’t need.

Full `iptables` Rule Set

#!/bin/bash

# Flush existing rules to start fresh (use with caution on a live system)
iptables -F
iptables -X

# Set default policies: DROP incoming, ALLOW outgoing
iptables -P INPUT DROP
iptables -P FORWARD DROP  # If routing/NAT isn't needed, drop forwarded traffic
iptables -P OUTPUT ACCEPT # Allow all outbound traffic (can be restricted if needed)

# Allow loopback traffic (essential for local services)
iptables -A INPUT -i lo -j ACCEPT

# Allow established and related connections (keeps ongoing sessions alive)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow ICMP (e.g., ping responses, network diagnostics)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow SSH (port 22/TCP) for remote access
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

# --- Optional Service Rules (uncomment or remove as needed) ---

# Web Server (HTTP and HTTPS)
#iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

# Mail Server (SMTP, Submission, IMAP, IMAPS, POP3, POP3S)
#iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT   # SMTP
#iptables -A INPUT -p tcp --dport 587 -m conntrack --ctstate NEW -j ACCEPT  # Submission
#iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW -j ACCEPT  # IMAP
#iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT  # IMAPS
#iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW -j ACCEPT  # POP3
#iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT  # POP3S

# File Sharing - Samba (SMB/CIFS)
#iptables -A INPUT -p udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT  # NetBIOS Name Service
#iptables -A INPUT -p udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT  # NetBIOS Datagram
#iptables -A INPUT -p tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT  # NetBIOS Session
#iptables -A INPUT -p tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT  # SMB over TCP

# File Sharing - NFS (basic ports; dynamic ports may need rpcbind config)
#iptables -A INPUT -p tcp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # NFS
#iptables -A INPUT -p udp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # NFS

# Database Server (MySQL and PostgreSQL)
#iptables -A INPUT -p tcp --dport 3306 -m conntrack --ctstate NEW -j ACCEPT # MySQL/MariaDB
#iptables -A INPUT -p tcp --dport 5432 -m conntrack --ctstate NEW -j ACCEPT # PostgreSQL

# DHCP Server (if the system assigns IPs; rare for a typical server)
#iptables -A INPUT -p udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT   # DHCP Server

# --- End of Rules ---
# Default INPUT policy is DROP, so anything not explicitly allowed is blocked

What This Rule Set Does

Core Functionality:
- Loopback: Allows all traffic on lo for local processes.
- Established/Related: Permits responses to outbound connections (e.g., updates, DNS, NTP) and ongoing sessions.
- ICMP: Allows ping responses and basic network diagnostics.
- SSH: Opens port 22/TCP for remote access.
Optional Services (commented out by default):
- Web server (80, 443).
- Mail server (25, 587, 143, 993, 110, 995).
- File sharing (Samba: 137-139, 445; NFS: 2049).
- Databases (3306, 5432).
- DHCP server (67).
Security:
- Default INPUT policy is DROP, blocking all unlisted inbound traffic.
- OUTPUT is left open (common for servers; can be restricted if needed).
- FORWARD is dropped (assuming no routing/NAT).

How to Use This

Save to a Script:
- Copy the code into a file (e.g., firewall.sh).
- Make it executable: chmod +x firewall.sh.
- Run it: ./firewall.sh.
Customize:
- Uncomment the optional service rules you need (e.g., web server ports).
- Remove rules for services you don’t use.
Persist Rules:
- On Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4.
- On CentOS/RHEL: service iptables save or integrate with firewalld.
Test:
- Check rules: iptables -L -v -n.
- Test SSH: ssh user@host.
- Test blocked ports: Try connecting to unopened ports (e.g., telnet host 80 should fail).

Notes

Outbound Traffic: The OUTPUT chain is ACCEPT by default, allowing the system to initiate connections (e.g., for updates or DNS). If you want to lock this down, add specific OUTPUT rules and set -P OUTPUT DROP.
Dynamic Protocols: NFS and FTP may require additional conntrack modules (e.g., nf_conntrack_ftp) and port ranges for full functionality.
Minimal Setup: If you only need SSH and basic system operation, use just the uncommented rules.

This rule set balances functionality and security for a typical Linux server.