{"id":1431,"date":"2016-03-30T12:53:55","date_gmt":"2016-03-30T16:53:55","guid":{"rendered":"http:\/\/codinggorilla.domemtech.com\/?p=1431"},"modified":"2016-04-05T13:31:46","modified_gmt":"2016-04-05T17:31:46","slug":"hints-for-security-with-digitalocean-droplets","status":"publish","type":"post","link":"http:\/\/165.227.223.229\/index.php\/2016\/03\/30\/hints-for-security-with-digitalocean-droplets\/","title":{"rendered":"Hints for Securing Ubuntu on a VPS"},"content":{"rendered":"<p><a href=\"https:\/\/www.digitalocean.com\/\" target=\"_blank\">Digital Ocean<\/a>\u00c2\u00a0and <a href=\"https:\/\/www.godaddy.com\/pro\" target=\"_blank\">Godaddy Pro<\/a> are nice VPS providers. However, it&#8217;s important to update the security of any box you create ASAP. It took under 24 hours for one of my boxes to be hacked and turned into a DoS! Therefore, when you create your box, make sure to add a firewall immediately.<\/p>\n<ol>\n<li><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/ssh-essentials-working-with-ssh-servers-clients-and-keys\" target=\"_blank\">Add an SSH key<\/a>\u00c2\u00a0to the box so you can log into it without passwords. This can sometimes be a real pain in the ars, but it&#8217;s worth it. Remember, the server needs an &#8220;authorized_keys&#8221; file, and the client needs an agent, either Pageant or &#8216;eval $(ssh-agent)&#8217;.<\/li>\n<li>Turn off passwords for SSH. After adding a key&#8211;and making sure that it works&#8211;turn off password prompting. Note: if you mess this up and can&#8217;t login\u00c2\u00a0without password prompting, you are totally screwed!\n<ol>\n<li>vi \/etc\/ssh\/sshd_config, uncomment &#8220;PasswordAuthentication&#8221;, and change &#8220;PasswordAuthentication&#8221; from &#8220;yes&#8221; to &#8220;no&#8221;.<\/li>\n<\/ol>\n<\/li>\n<li>Install <a href=\"https:\/\/en.wikipedia.org\/wiki\/Uncomplicated_Firewall\" target=\"_blank\">UFW<\/a>\u00c2\u00a0(the &#8220;Uncomplicated Firewall&#8221;). Set up which ports that are exposed. For now, allow SSH (port 22).<\/li>\n<\/ol>\n<pre>sudo apt-get install ufw\r\nsudo ufw default deny incoming\r\nsudo ufw allow ssh\r\n# set up ssh before enabling ufw!\r\nsudo ufw --force enable\r\nsudo ufw status\r\n<\/pre>\n<ol start=\"4\">\n<li>Install <a href=\"http:\/\/www.fail2ban.org\/\" target=\"_blank\">Fail2ban<\/a>. Fail2ban keeps track of hackers trying to get into the machine, and sets up blocks accordingly.\n<ol>\n<li>sudo apt-get update<\/li>\n<li>sudo apt-get install fail2ban<\/li>\n<li>Install any additional rules you want.\n<ol>\n<li>sudo cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/li>\n<li>vi \/etc\/fail2ban\/jail.local\n<ol>\n<li>Add in rules, e.g., &#8216;^%(__prefix_line)sReceived disconnect from &lt;HOST&gt;: 11: (Bye Bye)? \\[preauth\\]$&#8217;.<\/li>\n<\/ol>\n<\/li>\n<li>To test it with <code>fail2ban-regex<\/code> or egrep, you can just strip off the <code>^%(__prefix_line)s<\/code> from the beginning. Add this line to the <code>failregex<\/code> variable in your <code>\/etc\/fail2ban\/filter.d\/sshd.conf<\/code>.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<li>Check logs periodically. Look for strange happenings.\n<ol>\n<li>grep sshd.\\*Failed \/var\/log\/auth.log | less<\/li>\n<li>grep sshd.*Did \/var\/log\/auth.log | less<\/li>\n<\/ol>\n<\/li>\n<li>Do not expose <a href=\"http:\/\/redis.io\/\" target=\"_blank\">Redis<\/a>, <a href=\"https:\/\/www.mongodb.org\/\" target=\"_blank\">Mongo DB<\/a>, or other unsafe programs directly past the firewall:\n<ol>\n<li>http:\/\/redis.io\/topics\/security<\/li>\n<\/ol>\n<\/li>\n<li>Install <a href=\"https:\/\/github.com\/raboof\/nethogs#readme\" target=\"_blank\">nethogs<\/a> to see what&#8217;s going on with the network.\n<ol>\n<li>sudo apt-get install nethogs<\/li>\n<li>sudo nethogs eth0<\/li>\n<li>creating socket failed while establishing local IP &#8211; are you rootwget -c https:\/\/github.com\/raboof\/nethogs\/archive\/v0.8.1.tar.gz<\/li>\n<li>wget -c https:\/\/github.com\/raboof\/nethogs\/archive\/v0.8.1.tar.gz<\/li>\n<li>tar xf v0.8.1.tar.gz<\/li>\n<li>cd .\/nethogs-0.8.1\/<\/li>\n<li>sudo apt-get install libncurses5-dev libpcap-devsudo apt-get install make<\/li>\n<li>sudo apt-get install make<\/li>\n<li>sudo apt-get install build-essential g++<\/li>\n<li>make &amp;&amp; sudo make install<\/li>\n<li>nethogs<\/li>\n<\/ol>\n<\/li>\n<li>Run <a href=\"https:\/\/en.wikipedia.org\/wiki\/Netstat\" target=\"_blank\">netstat<\/a> occasionally to see what ports are open.\n<ol>\n<li>netstat -tnp<\/li>\n<li>netstat -tulpn<\/li>\n<\/ol>\n<\/li>\n<li><a href=\"http:\/\/aws.amazon.com\" target=\"_blank\">Amazon&#8217;s AWS<\/a> has firewalls built in around the machine when you create a VPS. You don&#8217;t need to set up these programs, but it&#8217;s a good thing to do.<\/li>\n<\/ol>\n<h3>Resources<\/h3>\n<p><code><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/an-introduction-to-securing-your-linux-vps\" target=\"_blank\">https:\/\/www.digitalocean.com\/community\/tutorials\/an-introduction-to-securing-your-linux-vps<\/a><\/code><\/p>\n<p><code><a href=\"https:\/\/apps.ubuntu.com\/cat\/applications\/fail2ban\/\" target=\"_blank\">https:\/\/apps.ubuntu.com\/cat\/applications\/fail2ban\/<\/a><\/code><\/p>\n<p><code><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04\" target=\"_blank\">https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04<\/a><\/code><\/p>\n<p><code><a href=\"https:\/\/dodwell.us\/security\/ufw-fail2ban-portscan\/\" target=\"_blank\">https:\/\/dodwell.us\/security\/ufw-fail2ban-portscan\/<\/a><\/code><\/p>\n<p><code><a href=\"http:\/\/antirez.com\/news\/96\" target=\"_blank\">http:\/\/antirez.com\/news\/96<\/a><\/code><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Digital Ocean\u00c2\u00a0and Godaddy Pro are nice VPS providers. However, it&#8217;s important to update the security of any box you create ASAP. It took under 24 hours for one of my boxes to be hacked and turned into a DoS! Therefore, when you create your box, make sure to add a firewall immediately. Add an SSH &hellip; <\/p>\n<p class=\"link-more\"><a href=\"http:\/\/165.227.223.229\/index.php\/2016\/03\/30\/hints-for-security-with-digitalocean-droplets\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Hints for Securing Ubuntu on a VPS&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[],"tags":[],"_links":{"self":[{"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/posts\/1431"}],"collection":[{"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/comments?post=1431"}],"version-history":[{"count":0,"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/posts\/1431\/revisions"}],"wp:attachment":[{"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/media?parent=1431"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/categories?post=1431"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/165.227.223.229\/index.php\/wp-json\/wp\/v2\/tags?post=1431"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}