Installation of Ubuntu Server on a Linode VPS With Basic Security Setup

This article will cover the installation of Ubuntu Linux (7.10) on a Linode VPS with startup management tasks, ip tables firewalling, and basic server security techniques. This article assumes you are using a linux machine locally as well, but for the majority you are using a simple ssh client, web browser, and an editor – so adapt these to your local configuration.

Note: While these instructions are for a VPS within Linode, they are essentially the same for any hosting company/distribution with the exception of some differences between debian based linux systems and redhat based ones (apt-get vs. yum, etc.).

If you don’t have a dedicated server, or a VPS, we often recommend Linode as your hosting company. Their support is quite good and their offerings are well provisioned. There are a vast number of hosting companies, but in our opinion Linode is one of the best.

1. Install Ubuntu 7.10 on linode (through the dashboard system, very easy…)

2. While waiting clear your local ssh known_hosts (if necessary, reinstall, etc.)

nano ~/.ssh/known_hosts  (remove all references to vps ip)

3. ssh in as your linode account to lish on your host and then login to your linode as root or for non linode customers (or linode users alternatively)

ssh root@yourip   – then change your pass

passwd

4. Create a new account (so you are not logging in as root)

adduser username

5. Grant new user su privileges

visudo  (at the end of the file add:)

username ALL=(ALL) ALL

6. Login & Set Hostname:

/bin/hostname yourhostname.com

echo yourhostname.com > /etc/hostname

This next section will setup SSH encryption between your local computer(s) and your server. These steps essentially disallow any logins besides those coming from a machine with your SSH key. If you need to travel from computer to computer you will need to perform these steps on all the computers you use. On linode (and other hosts) you can always login through the web interface provided through the dashboard management system.

Set up correctly, these steps stop any number of security attacks from randomly guessing the root password, etc. It enables a fairly high level of initial security.

7. SSH Keygen public/private key (stop logins with just a password)

On Local Machine:

mkdir ~/.ssh

ssh-keygen -t rsa (this makes 2 files – id_rsa.pub (public key) – id_rsa (private key)

Copy public key to Linode:

scp ~/.ssh/id_rsa.pub username@ip:/home/username/

On Your Linode VPS:

mkdir /home/username/.ssh

mv /home/username/id_rsa.pub /home/username/.ssh/authorized_keys

Permissions:

chown -R username:usergroup /home/username/.ssh

chmod 700 /home/username/.ssh

chmod 600 /home/username/.ssh/authorized_keys

8. SSH config

nano /etc/ssh/sshd_config

Change SSH Port to something (i.e. 30100, 30211, anything high really)

Protocol 2

PermitRootLogin no

Unpound AuthorizedKeyFiles…

PasswordAuthentication no

X11Forwarding no

UsePAM no

UseDNS no

AllUsers username

This next section runs through a basic configuration of the IP Tables Firewall system. There are many other helper applications for establishing a firewall on a linux machine, but doing it by hand helps people to understand the concepts involved.

9. Firewall setup (iptables)

iptables-save > /etc/iptables.up.rules

iptables -L

nano /etc/iptables.test.rules config below:

Below is a basic IP Tables Configuration File that locks nearly everything down. As you add services you can open required ports for traffic, but for most people this configuration will meet all their needs.

++++Begin File++++

*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0

-A INPUT -i lo -j ACCEPT

-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections

-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic

#  You can modify this to only allow certain traffic

-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)

-A INPUT -p tcp –dport 80 -j ACCEPT

-A INPUT -p tcp –dport 443 -j ACCEPT

#  Allows SSH connections

#

# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE

#

-A INPUT -p tcp -m state –state NEW –dport 30000 -j ACCEPT

# Allow ping

-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT

# log iptables denied calls

-A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7

# Reject all other inbound – default deny unless explicitly allowed policy

-A INPUT -j REJECT

-A FORWARD -j REJECT

COMMIT

++++End File++++

10. Store new IP Tables Information

iptables-restore > /etc/iptables.test.rules

iptables -L

iptables-save > /etc/iptables.up.rules

11. Ensure iptables loads at startup

nano /etc/network/interfaces

after iface…

pre-up iptables-restore > /etc/iptables.up.rules

12. Test connections (don’t logout yet!)

/etc/init.d/ssh reload

From a new local terminal test ssh:

ssh -P portyouset username@yourip

13. Set Locale

sudo locale-gen en_US.UTF-8

sudo /usr/sbin/update-locale LANG=en_US.UTF-8

14. Reboot and login as your newuser via the ssh command:

ssh -P portyouset username@yourip

Now that you have established your ssh keys and a connection and locked down the majority of the open ports on the computer you can setup your local environment. These can be changed according to your needs – just a basic setup that many people will find satisfactory.

15. Configure your local environment

nano ~/.bashrc

export PS1='[�33[0;32m]h[�33[0;36m] w[�33[00m]: ‘

alias dir=”ls -lartF”

alias free=”free -m”

alias update=”sudo aptitude update”

alias install=”sudo aptitude install”

alias upgrade=”sudo aptitude safe-upgrade”

alias remove=”sudo aptitude remove”

16. Get Your Ubuntu Server up to date

sudo nano /etc/apt/sources.list

enable all repositories

sudo aptitude update

sudo aptitude safe-upgrade

sudo aptitude full-upgrade

Finally install the build essentials package which has the tools necessary to install apache, mysql, and other applications you are going to install on your server.

17. Install build essentials

sudo aptitude install build-essential