Prepare a Linux server for first use.

Posted on By Khapchi No Comments on Prepare a Linux server for first use.

No matter what your preferences are in Linux distributions, but there is a time when you have just provisioned a server in cloud or received a linux server to work with. There is a time when you get around to that and server sitting just waiting to be brute forced or be used a gunnie pig for dumb f***s try to brute force their way in with stupid programs written in last century, but if you are not careful with basic security practises they may have a chance.

This post in no way dictates how you prepare your server but something I have seen people with some common sense and an IQ more than a toothbrush to be safe. Till the time you or management decides which gravy goes with this server.

These are very generalised steps and can be applied to any distribution but obviously with different commands.

  1. First Things first.

Update your distribution to the latest and greatest package/kernel/security updates. Which can be done by the following commands.

CentOS:

yum update

Debian / Ubuntu:

apt-get update

After this some older admins prefer a reboot, just in case official release channels just screwed up something that might result in a system not coming in after reboot or after a lot of configuration, just we did not check if the power button is incompatible with updates.

2. Once you have updated your packages lets change how we access to our server.

Majority of times (probably 100%) nix servers use sshd demon to allow us to connect remotely. Now unless you have IPMI or you are hosting it in your garage or your bicycle. You are also using the same. Hosting providers or operations people take a small precaution to change default ssh port (22) to something like 2202 or 2222 or 2022. But that buys you like a second if someone wants to find out what your port is. If possible use a port which is not commonly scanned like 6565623. This will buy you sometime for DF’s to scan you and hit you with Brute force attacks. This can be done by editing file /etc/ssh/sshd.conf and setting Port directive to what you like. 

Port 6562654

After this you just have to restart your sshd daemon. with the command given below.
CentOS5.x/6.x

service sshd restart

CentOS7.x/8.x

systemctl restart sshd.service

Debian/ Ubuntu

service sshd restart

3. Third things First. (yes I said it, FIREWALL).

Now some of your believe that first 2 points are BS unless we do the third one. For those criticising gentleman and ladies, You may be right or not, what the point of a firewall if the server stalls after a reboot. You firewall that panic attack now.

This is not an iptables tutorial or guide, but what we can put in if you would like to leave your server until you get around to use it. But please follow these rules in this exact order unless you want to lock your out. Just a tip, Always prefer PREROUTING over INPUT.

a. Set default policy to drop

iptables -P INPUT DROP

b. Allow everything from your local interface

iptables -A INPUT -i lo -j ACCEPT

c. Do not close existing connections.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

d. Make sure you allow yourself. Only if you have a static source, else you can go and learn port knocking or look at log who has found your fancy ssh port.

iptables -A INPUT -s <your-IP> -j ACCEPT

e. Drop everything else. 

iptables -A INPUT -j DROP

I will be adding more to this later. Now, I am just tired of explaining. But after these general steps please make sure you have save your running iptables to get these rules to stay.

CentOS 5.x/6.x:

service iptables save

CentOS7:

Now this guy has firewalld instead but underlying technology is iptables, you can use the same with installing iptables-services and run same as always. 

yum install iptables-services

Its better you do it with firewalld. If you like to learn more in details. Here is an acrticle you may want to look at everyones friends at techmint.com https://www.tecmint.com/configure-firewalld-in-centos-7/

For ubuntu best way to do is to make use of iptables-persistent, which can be installed by command given below.

apt-get install iptables-persistent

One they are installed run all rules given above and save them with commang given below.

iptables-save > /etc/iptables/rules.v4

Now you can let this guy rest and let your “Getback to it when I get time” take it over. Anything you install after this is purely based on the role of this server. Which will vary widely. Just make sure you check /etc/services file to open appropriate ports to let that service work for public and private networks.

Technology

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.