Saturday, November 22, 2014

Securing your Ubuntu Instance

Tailing Your Logs

Analyzing server logs is absolutely critical for monitoring the health of your servers. Until you have a robust logging and monitoring solution in place, you'll want to tail them in real time. Let's get to it.

Prerequisites: If you haven't set up an Ubuntu instance yet, make sure to check out this guide.

# tail the machine's syslog in the foreground
sudo tail -f /var/log/syslog

# you can also open up other panes in your terminal 
# to monitor the authlog
sudo tail -f /var/log/authlog

# or even server logs
sudo tail -f /var/log/nginx/exampledomain.com

Now let's talk about the contents of your syslog. If your server is exposed to the internet, you're going probably going to see a growing list of authentication failure entries: Nov 17 14:25:56 hostname sshd[00000]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=root

This is a result of brute force attacks from bots trying to log in as the root user. Let's take some steps to prevent that from happening in the future.

Firewalling Off Port 22

If you only connect to the server from the same IP address, you can firewall off port 22 to everything except your IP address. However, just know that if you're trying to ssh into the server from home and you haven't set up a static IP through your ISP, expect your dynamic IP to change periodically. You'll have no choice by to access the server through the control panel of your hosting provider in order to update the iptables.

iptables -A INPUT -p tcp -d 0/0 -s my.own.ip.address --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 0/0 --dport 22 -j DROP
iptables-save

Changing the SSHD Port

You're going to want to run sshd on the server on a non-standard port. Here's the list of standard ports. Make sure not to override any of those. You can also firewall off this new port number since you're no longer using port 22. Before changing anything related to sshd, you'll want to make sure you can actually ssh into the machine. Here's a useful guide.

# login as root
ssh root@hostname/IP

# back up the config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

# update the sshd_config
sudo nano /etc/ssh/sshd_config

You should see the following contents:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

You'll want to change Port to a new number and set PermitRootLogin to "no".

Now restart sshd with service sshd restart. Now when you ssh into the server, make sure you add the -p(port) flag and new port number like so: ssh username@hostname.com -p 50683. Here are some other useful commands:

# check if the sshd process is running
ps aux | grep sshd

# check if ssh is running on port 22
netstat -plant | grep :22

# check if the port 22 TCP file is open
lsof

And there you have it. That should significantly reduce the number of authentication logs.

No comments:

Post a Comment