This is a guide to install a server for an Ubuntu 14 LTS server. You could likely use different versions.

• Security
  • Update
  • Firewall UFW
  • SSH and Users
  • Fail2Ban
  • Rootkits
  • Unattended Upgrades
  • Apache2 Mod-Evasive
• Packages
  • Common Items
  • Enable PPA Repositories
• Commands
  • SSH Welcome Message
  • Searching
  • User Management
  • SFTP User
• Manage Network Scripts
  • Checking Ports

#Security These are necessities to keep your server secure. Not everything will be covered but some of the most important.

###Update With any new installation you want to update!

sudo apt-get update
sudo apt-get upgrade -y

###Firewall UFW UFW is the uncomplicated firewall.

sudo ufw enable
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow ssh
sudo ufw allow 911 <or any number>

See your Firewall Rules:

sudo ufw status verbose

###SSH and Users You should first create a non-root user. Since default logins are root on port 22:

sudo useradd -m -s /bin/bash user1
passwd user1

We need user1 him to be a super-user (su). Add your in visudo:

$ visudo
--------
# User privilege specification
root    ALL=(ALL:ALL) ALL
user1   ALL=(ALL:ALL) ALL

#####Change Default SSH Port To change the default port of 22 to something else of your choice:

$ sudo vim /etc/ssh/sshd_config
-------------------------------
Port 22              # Change to: 1234
PermitRootLogin yes  # Change to: no

Reload SSH Configuration:

sudo service ssh reload

#####Make Sure You can Login Test your new user by keeping your current terminal connected and opening a second terminal:

ssh user1@ip_address -p1234

Also make sure you can use sudo, so type su -

As your new user (user1), if you want to login with an SSH key, make sure you have a key on your local machine.

ssh-keygen -t rsa -b 4096 -C "[email protected]"

Create your remote SSH folder and authorized_keys. Paste your id_rsa.pubto authorized_host:

mkdir ~/.ssh
vim /etc/authorized_keys

Your local ~/.ssh/id_rsa.pub must match the remote ~/.ssh/authorized_keys. Make sure it's on one line!

#####SSH File Permissions Here are the permissions for your files (local and remote).

chmod 700 ~/.ssh &&\
chmod 600 ~/.ssh/authorized_keys &&\
chmod 644 ~/.ssh/id_rsa.pub &&\
chmod 600 ~/.ssh/id_rsa

Don't keep your id_rsa private key on the remote host, all you need to login is the authorized_keys file. Only host your private key for a locked down user for deployments.

#####Quick SSH Login On your local machine edit or create an ssh config for quick connection:

$ vim ~/.ssh/config
-------------------
Host myhost
Hostname 123.123.123.555
Port 1234
User user1

You should now be able to connect with:

ssh myhost

###Fail2Ban Bans IPs that attempt too many password failures, searching for exploits and the like. The default configuration is good.

sudo apt-get install fail2ban

###Rootkits

sudo apt-get install chkrootkit rkhunter

Edit the chkrootkit configuration:

sudo vim /etc/chkrootkit.conf

We will run both weekly; However we need to change the configuration:

RUN_DAILY="true"
RUN_DAILY_OPTS=""
DIFF_MODE="false"

For your reference, rkhunter's configuration file is located here: /etc/default/rkhunter

Rename the rkhunter's update job with a different name before moving the other items to the weekly CRON:

sudo mv /etc/cron.weekly/rkhunter /etc/cron.weekly/rkhunter_update

Next move the daily CRON to the weekly:

sudo mv /etc/cron.daily/chkrootkit /etc/cron.weekly
sudo mv /etc/cron.daily/rkhunter /etc/cron.weekly

###Unattended Upgrades Keep security updates on a cron.

sudo apt-get install unattended-upgrades

Edit the periodic updated file:

sudo vim /etc/apt/apt.conf.d/10periodic

Update your values to something like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

###Apache2 Mod-Evasive This is useful for DDOS attacks. First install the needed packages.

sudo apt-get install apache2 apache2-utils libapache2-mod-evasive

Create the log directory.

sudo mkdir /var/log/mod_evasive
sudo chown www-data:www-data /var/log/mod_evasive

Edit the configuration file:

sudo vim /etc/apache2/mods-available/mod_evasive.conf

Uncomment everything except DOSSystemCommand and add your email after DOSEmailNotify.

Reload Apache:

sudo a2enmod evasive
sudo service apache2 reload

#Packages The location for aptitude apt package sources is:

/etc/apt/sources.list     # This is one long file of defaults
/etc/apt/sources.list.d/  # These are separate files for things like PPA adding

If you choose to manually add a package I would recommend adding it to the /etc/apt/sources.list.d/your-source.list directory, that way you can just delete it and sudo apt-get update if you don't want it -- rather than editing the main sources.list file.

###Common Items These are some common packages you can use. If you prefer nginx over apache then install that instead.

sudo apt-get install\
git htop xclip\
python-dev python-pip\
php5 php5-dev\
apache2 apache2-utils

###Enable PPA Repositories This should exist by default, but if it doesn't install it:

sudo apt-get install python-software-properties

#Commands These are commands for reference.

###SSH Welcome Message When you login to your SSH, you can add a custom welcome banner that looks cool:

sudo vim /etc/ssh/sshd_config
Banner /etc/banner

Then create the file and add anything you want:

sudo vim /etc/banner

Here is an example:

   __ _____ _____ _____ _____ 
 __|  | __  |   __|  _  |     |
|  |  |    -|   __|     | | | |
|_____|__|__|_____|__|__|_|_|_|
-------------------------------
Server 01               Welcome
-------------------------------

I used a text to ASCII generator for that. Then restart and it will appear next time you login!

sudo service ssh restart

##Searching

Search for a filename from system path

$ find / --name filename

Search the contents of a file

$ cat filename | grep "text-to-find-here"

Search within files in the current directory

$ grep -Ril "text-to-find-here" .

R (recursive)
i (case insensitive)
l (show the file name, not the result itself)

##User Management

See the user defaults, and add a user with the defaults:

useradd -D
useradd user2

useradd -m user2                # Create Home, Default Shell
useradd -m -s /bin/bash user2   # Set Shell, Create Home

passwd user2                     # Change Passwd
userdel user2                     # Delete User

cat /etc/passwd # See Users
cat /etc/group # See Groups

Manually Add sudo (Super User)

$ visudo
--------
user2 ALL=(ALL) ALL

Change a users shell

sudo chsh -s /bin/bash user2

Add Existing user to Existing Group

usermod -a -G www-data user2

##SFTP User For SFTP Access you should create a group an ddo the following:

sudo groupadd sftp_users
sudo usermod -G sftp_users user2

For a webserver, you should add the webserver group AS WELL

sudo usermod -G www-data user2

Edit your SSHD config and append to the end of the file

$ sudo vim /etc/ssh/sshd_config
-------------------------------
Match group filetransfer
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

Restart SSH

sudo service ssh restart

#Manage Network Scripts You can add your own startup/shutdown scripts and the like in folders in this area:

/etc/network/if-down.d/
/etc/network/if-pre-up.d/

Just make sure to chmod +x filename.sh

##Checking Ports Beginner commands to http://www.linux.com/learn/tutorials/290879-beginners-guide-to-nmap

apt-get install nmap

There are many ways to check open ports:

sudo ufw status
sudo nmap -sT -O localhost

Other ways to check ports

netstat -anp | grep 222
lsof -i | grep 222
telnet localhost 222

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that notice appear in all copies.

©2016 MIT License | Jesse Boyer | JREAM.com