1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
5/5, 2 ratings

Securing and Hardening your Ubuntu 16.04 ServUO Server

Summary of the tutorial

Securing and Hardening your Ubuntu 16.04 Server for ServUO

One of the first things you need to do after setting up your Linux server is to secure the SSH, configure your firewall, Secure shared memory, and install and configure fail2ban.

Securing SSH with rsa keys will prevent unauthorized users from logging in to your server, even if they have the root password, and changing the port from something other than the default port 22 will help keep the script kiddies away.

The firewall will simply block all traffic to ports you don't want exposed to the internet

Fail2ban will IP-ban at the firewall any user attempting to login to SSH without an authorized key. This will greatly reduce the threat from a DDOS.

This tutorial assumes you will be using a Windows PC as your workstation, and Ubuntu 16.04 for your server.


Preparing your Workstation
For this tutorial, you will need to install 2 applications to your workstation if you don’t already have them installed:

  1. PuTTY
  2. PuTTYgen

You can find PuTTY and PuTTYgen here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


Creating a key
  1. Launch PuTTYgen
  2. click the “Generate” button
  3. It will ask you to move your mouse around while it generates the key
  4. Click “Save private key” and save it somewhere safe but where you can find it. Save this as “MyKey”
  5. (Answer Yes to the prompt about having no password on the file)
  6. From the top menu, select “Conversions” then “Export OpenSSH key” and save it as “ForServer”
  7. (Answer Yes to the prompt about having no password on the file)

Adding the key to your server
Using PuTTY, connect to your server. And edit your authorized_keys file

Code (C#):
  1.  
  2. nano ~/.ssh/authorized_keys
  3.  
Now, on your workstation, open the “ForServer” file using a text editor, select all, and copy, then paste the contents into your server’s authorized_keys file. If there is already another key in your authorized_keys file, then just add a line under the previous key, and paste your key under it. Now, save your authorized_keys file and change permissions:

Code (C#):
  1.  
  2. chmod 600 ~/.ssh/authorized_keys
  3.  
Testing your key and Changing the default SSH port
Edit your ssh_config file and allow key authentication

Code (C#):
  1.  
  2. sudo nano /etc/ssh/sshd_config
  3.  
Port 22 #Change this to a number less than 1024 (and not 21,80,or 443)

Code (C#):
  1.  
  2. RSAAuthentication yes
  3. PubkeyAuthentication yes
  4.  
Save your changes and restart the ssh service

Code (C#):
  1.  
  2. service sshd restart
  3.  
On your workstation, launch PuTTY and create a save a new session to your server using your MyKey.ppk. To do this:

  1. Enter your server’s addres or IP in the “Host Name” field
  2. Enter your new SSH port
  3. On the column to the left, click SSH then Auth, and Browse for your MyKey.ppk file
  4. Scroll back up on the left column and click on “Session”
  5. Click “Save” then “Open”
  6. At the login prompt, you should only have to enter your name
If you were able to login with only your name using the key, you are ready to lockdown your SSH server. If you were prompted for a password, something went wrong. Please check again that you have followed the steps up to this point carefully. If you were asked for a password, DO NOT CONTNUE!

Locking down the SSH Server
Now that you can connect with your MyKey.ppk, you can prevent other users who don’t have a key from logging into your server. Edit your sshd_config file again, and uncomment the PasswordAuthentication line and set it to “no.”

Code (C#):
  1.  
  2. sudo nano /etc/ssh/sshd_config
  3.  
Uncomment and change the following

Code (C#):
  1.  
  2. # Change to no to disable tunnelled clear text passwords
  3. PasswordAuthentication no
  4.  
Save your changes and restart the ssh service

Code (C#):
  1.  
  2. Service sshd restart
  3.  
Now, your server will not allow anyone to login without a key.

Configuring your firewall
If you have a fresh server installation, chances are your firewall is disabled. You can check status with the following command:

Code (C#):
  1.  
  2. sudo ufw status
  3.  
If it’s not installed, you can install it with:

Code (C#):
  1.  
  2. sudo apt-get install ufw
  3.  
Now, before we enable it, let’s set it back to default and add the port for SSH (22) and for our ServUO server (default 2593). Enter these commands one at a time, don’t paste the whole block in!

Code (C#):
  1.  
  2. sudo ufw default deny incoming
  3. sudo ufw default allow outgoing
  4. sudo ufw allow 22 #Enter your new SSH port here
  5. sudo ufw allow 2593
  6.  
If you have other services running, you need to also open those ports. Now, enable the firewall

Code (C#):
  1.  
  2. sudo ufw enable
  3.  
Now check that it’s running

Code (C#):
  1.  
  2. sudo ufw status
  3.  
Securing Shared Memory
Shared memory can be used in an attack against a running service. Modify /etc/fstab to make it more secure.

Code (C#):
  1.  
  2. sudo vi /etc/fstab
  3.  
Add the following line and save. You will need to reboot for this setting to take effect :

Code (C#):
  1.  
  2. tmpfs  /run/shm  tmpfs  defaults,noexec,nosuid  0  0
  3.  
Installing and configuring fail2ban

First, we need to update our local package index and then we can use apt to download and install the package:

Code (C#):
  1.  
  2. sudo apt-get update
  3. sudo apt-get install fail2ban
  4.  
By default, fail2ban is setup to defend ssh. However, you need to tell it what your new ssh port is

Code (C#):
  1.  
  2. sudo nano /etc/fail2ban/jail.conf
  3.  
Find and edit the following

Code (C#):
  1.  
  2. [sshd]
  3. port  = ssh  #Change this from ssh to your new ssh port
  4. logpath = %(sshd_log)s
  5.  
Save the file and restart fail2ban

Code (C#):
  1.  
  2. sudo service fail2ban restart
  3.  
Congratulations, you now have a hardened server!