What is an Easy Way to Secure My Server?
I've gone through the guides a few times now, but in creating new server, securing them can take a while. What is a simpler way to secure my server?
4 Replies
I absolutely feel you. I've read through the guides plenty of times to secure my Linode and re-securing the Linode by hand can be a pain in the butt. I'm going to break this down into two different scripts and you can take and modify as you like. As a MAJOR caveat: there is no guarantee this will prevent all forms of attack and is just a very basic form of securing your server. There is much more that can and should be done depending on the services you are using, including setting up a proper firewall
The first script is going to only need to be run once and is going to make the assumption you have created an SSH private/public keypair. If you haven't yet, run through that portion of the securing your server guide and have the pubkey handy since that's a major part of securing the Linode. This script will also set up fail2ban which I highly recommend to help prevent brute force attempts.
The second script is going to be an easy way for you to add users as the root user on your server, grant them sudo privileges, add their pubkey, etc. Cool? Cool. Let's get started.
Initial Security Script (Needs only be run once)
Let's call this securing.sh
and just create it in the home folder of the root
user. It will ask you for the root user's SSH pubkey, so be sure to have that handy.
#!/bin/bash
# Runs an update command. If the first fails, runs the second. This should work with Yum package manager first, then follow up with apt package manager
echo "Updating your System"
yum update -y || apt-get update -y && apt-get upgrade -y
# Prompts root user for their pubkey
read -p "Your Pubkey: " PUBKEY
mkdir -p /root/.ssh
touch /root/.ssh/authorized_keys
echo "$PUBKEY" >> /home/$USERNAME/.ssh/authorized_keys
chmod -R 700 /root/.ssh
chown -R root:root /root/.ssh
# Disables password and root connections over SSH
echo Disabling passwords and root login over ssh...
sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin no/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i -e "s/PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i -e "s/#PasswordAuthentication no/PasswordAuthentication no/" /etc/ssh/sshd_config
echo Restarting sshd...
systemctl restart sshd
echo ...done
#set up fail2ban
echo "Setting up fail2ban..."
yum install -y epel-release && yum install fail2ban || apt-get -o Acquire::ForceIPv4=true install -y fail2ban
cd /etc/fail2ban
cp fail2ban.conf fail2ban.local
cp jail.conf jail.local
systemctl enable fail2ban
systemctl start fail2ban
echo ...done
Pretty simple, right? And now if we want to create a script to simply add users and grant them pubkey access, we can use the following script:
Adding a User Script
We can call this script adduser.sh
and keep it in the home folder of the root
user as well.
#/bin/bash
#Creating User
read -p "Username: " USERNAME
adduser $USERNAME --disabled-password --gecos "" && \
adduser $USERNAME sudo
#Adding Pubkey
read -p "Pubkey: " PUBKEY
mkdir -p /home/$USERNAME/.ssh
touch /home/$USERNAME/.ssh/authorized_keys
echo "$PUBKEY" > /home/$USERNAME/.ssh/authorized_keys
chmod -R 700 /home/${USERNAME}/.ssh
chown -R ${USERNAME}:${USERNAME} /home/${USERNAME}/.ssh
This will create a user, set their password as their username (with the expectation that once they log in they will change their password. While the first script was totally hands off, the second one instead asks you for a series of prompts: The username you'd like to add and their pubkey. Just type those in, and the script will take care of the rest.
Running the Scripts
To run the scripts, you will just want to run the following commands:
chmod +x securing.sh
chmod +x adduser.sh
This will make the scripts executable so you can then just run them as the root user with:
./securing.sh
./adduser.sh
While this setup isn't quite as simple as deploying with StackScripts, I think it's a pretty decent way of getting through the process of securing your server.
If you do decide to go the StackScript route, be sure to check out our Bash StackScript Library, which contains a handful of functions that perform many of these actions, including a function that runs through our guide on securing your server. It's also worth noting that those functions don't require you to specify a distribution, as they sort that out on their own. This can save a lot of time when deploying Linodes with multiple Linux distributions, as a single script will work on all of them.
The security script that scrane wrote should work on CentOS (or any other redhat based distro) without issue. I modified the add user script a bit for CentOS for you:
#/bin/bash
#Creating User
read -p "Username: " USERNAME
useradd $USERNAME && passwd $USERNAME
usermod -aG wheel $USERNAME
#Adding Pubkey
read -p "Pubkey: " PUBKEY
mkdir -p /home/$USERNAME/.ssh
touch /home/$USERNAME/.ssh/authorized_keys
echo "$PUBKEY" > /home/$USERNAME/.ssh/authorized_keys
chmod -R 700 /home/${USERNAME}/.ssh
chown -R ${USERNAME}:${USERNAME} /home/${USERNAME}/.ssh
Also the Bash library that tommydavidson mentioned is set up to work on both Debian and Redhat based distros. If you use them to build a StackScript for deployment, the functions are interchangeable.