Computer Science

Securing/hardening the server

Your server on your local network is relatively safe from harm: you probably don't have any bad guys in your home trying to hack your login credentials.

But if you've set up a fixed IP address and port forwarding so that your server can interact with the outside world—perhaps you're going to run a small website on your server—then it is almost certain that you will receive network traffic from random entities: bad guys, bots, malware, all trying to log in to your server using default usernames and weak passwords so that they can compromise your system.

Why would someone want to do that? To run a bitcoin miner on your server, to use it to launch a distributed denial-of-service attack on another target, etc. It makes sense to take a few easy steps to harden your server's security so that it is less likely to be compromised.

Let's get started!

1. Set up automatic updates - Level: Easy!
2. Create an Authentication Key-pair - Level: Moderate!!
3. Use Fail2Ban for SSH Login Protection - Level: Easy!
4. Set up a Firewall with UFW - Level: Moderate!

Set up automatic updates

One of the easiest things you can do is keep your server automatically updated. Ubuntu Server already has the software installed—all you have to do is activate it.

1. While logged in to your server via the command line:

   $ sudo dpkg-reconfigure --priority=low unattended-upgrades

   An interactive dialog box will appear. Press the [Enter] key to accept the default value of yes.
2. Use sudo to open up a configuration file using nano:

   $ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

   In that file, look for the section that says:
   // Automatically reboot *WITHOUT CONFIRMATION* if a // the file /var/run/reboot-required is found after the upgrade // Unattended-Upgrade::Automatic-Reboot "false";
   Change the word false to true.

Your server will now keep itself updated, and reboot itself when necessary.

Create an Authentication Key-pair

See the instructions here, being sure to use the IP address for your server instead of crashwhite.polytechnic.org in those instructions.

Use Fail2Ban for SSH Login Protection

If someone is hitting your server with repeated attempts to log in, it could be that it's just you and you forgot your excellent password. It could be, however, that someone is running a malicious script and trying to brute-force your password. The fail2ban software will protect you against these kinds of attacks.

1. Use the Terminal from your own computer to log in to the server
2. Install the fail2ban package:
   $ sudo apt install fail2ban Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: python3-pyinotify whois Suggested packages: mailx monit sqlite3 python-pyinotify-doc The following NEW packages will be installed: fail2ban python3-pyinotify whois 0 upgraded, 3 newly installed, 0 to remove and 11 not upgraded. Need to get 442 kB of archives. After this operation, 2400 kB of additional disk space will be used. Do you want to continue? [Y/n]
   Press [Enter] to accept and the software will install.
3. Once the software is installed, fail2ban starts running immediately. You can verify this:
   $ sudo systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor pres> Active: active (running) since Sat 2021-03-20 11:47:16 PDT; 8min ago Docs: man:fail2ban(1) Main PID: 49943 (f2b/server) Tasks: 5 (limit: 973) CGroup: /system.slice/fail2ban.service └─49943 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Mar 20 11:47:16 ubuntu systemd[1]: Starting Fail2Ban Service... Mar 20 11:47:16 ubuntu systemd[1]: Started Fail2Ban Service. Mar 20 11:47:17 ubuntu fail2ban-server[49943]: Server ready
   The fail2ban software can be configured in lots of different ways by a systems administrator. For our purposes, we'll leave the default configuration as it is.

Set up a Firewall with UFW

There are a number of strategies for setting up a firewall. We're going to use Uncomplicated Firewall (UFW).

1. Ensure that ufw is installed on the server.

   $ sudo apt install ufw

   I found that Ubuntu Server already had ufw installed. Yay!
2. Check the status of the firewall. Just because ufw is installed doesn't mean it's running.
   $ sudo ufw status Status: inactive
3. Let out server communicate out through the firewall
   $ sudo ufw default allow outgoing Default outgoing policy changed to 'allow' (be sure to update your rules accordingly)
4. Set up the firewall to refuse all incoming traffic (we'll modify this rule next)
   $ sudo ufw default deny incoming Default incoming policy changed to 'deny' (be sure to update your rules accordingly)
5. Set up the firewall to allow ssh traffic in and out (we still want to be able to log in!)
   $ sudo ufw allow ssh Rules updated Rules updated (v6)
6. Activate these firewall rules
   $ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
7. Check to see what your firewall rules are
   $ sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6)
8. Deactivate the firewall (not ordinarily needed)

   $ sudo ufw disable

Note that your firewall rules will remain active through reboots.

References

• https://www.linode.com/docs/guides/securing-your-server/
• https://www.linode.com/docs/security/using-fail2ban-to-secure-your-server-a-tutorial/
• Configure your Firewall with UFW