At this point, you’ve set up your Ubuntu server and added some initial security. There are three more things I like to do when setting up an Ubuntu server.
- Add a Firewall using IP Tables
- Install Fail2Ban
- Setup email alerts anytime a user invokes sudo
Add a Firewall Using IP Tables
Currently, the firewall has no rules yet. Check it out:
sudo iptables -L sudo ip6tables -L
The above commands should show little to no firewall restrictions.
We need to install a package which enables persistent firewall rules. This means that the firewall rules will get automatically applied at server startup:
sudo apt install iptables-persistent
The above command should bring up a dialog that looks something like this:
──────────────| Configuring iptables-persistent ├──────────────┐ │ │ │ Current iptables rules can be saved to the configuration │ │ file /etc/iptables/rules.v4. These rules will then be loaded │ │ automatically during system startup. │ │ │ │ Rules are only saved automatically during package │ │ installation. See the manual page of iptables-save(8) for │ │ instructions on keeping the rules file up-to-date. │ │ │ │ Save current IPv4 rules? │ │ │ │ <Yes> <No> │ │ |
Agree to have the current rules installed into
Setup the IPv4 firewall rules in
sudo nano /etc/iptables/rules.v4
Paste the following into
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 333 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Setup the IPv6 firewall rules in
sudo nano /etc/iptables/rules.v6
Paste the following into
*filter # Accept established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback interface traffic -A INPUT -i lo -j ACCEPT # Reject non-loopback interface traffic to loopback IP addresses -A INPUT ! -i lo -d ::1/128 -j REJECT # Allow outbound traffic -A OUTPUT -j ACCEPT # Allow ping -A INPUT -p icmpv6 -m state --state NEW -m icmpv6 --icmpv6-type 8 -j ACCEPT # Log denied connections -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound and forward traffic (default deny unless explicitly allowed) -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Activate the firewall v4 and v6 rules now:
sudo iptables-restore < /etc/iptables/rules.v4 && sudo ip6tables-restore < /etc/iptables/rules.v6
Verify that the rules were installed correctly:
sudo iptables -L
Restart the server and confirm that the rules are still in place. You can shut down the server from the command line by typing :
sudo shutdown -r -h +0
Bring the server back up and check that the IP Tables are still in place by running the now familiar command:
sudo iptables -L
If everything looks like what you expected, then let’s move on to setting up Fail2Ban.
Fail2Ban is a tool that monitors log files and bans IP addresses that indicate likely maleficence. Things like too many failed authentication attempts or seeking for exploits would put an IP on the fail2ban list.
First we need to install the package:
sudo apt install fail2ban
Now we can configure the tool by creating a
jail.local file which will override defaults found in
/etc/fail2ban/jail.conf. Run the following to create the empty
sudo nano /etc/fail2ban/jail.local
Now add the following configuration to the file which will send an email labeled as from Fail2Ban whenever there are spurious IPs presenting themselves. Remember to add your own email address and if you used a different ssh port than the default 22 use that here (remember we used 333 in the earlier posts).
[DEFAULT] destemail = [email protected] sendername = Fail2Ban [sshd] enabled = true port = 333 [sshd-ddos] enabled = true port = 333
Now save the file and restart Fail2Ban to put the new rules into effect:
sudo systemctl restart fail2ban
Email Alerts for Sudo Invocations
Anytime someone uses
sudo on the server, we want an email to be sent documenting the invocation and some context around it. If you’re not using observability services like New Relic, this is an ad hoc paper trail that will provide a record should anything bad happen on the server.
In a future post we’ll provide a tutorial on setting up New Relic’s Infrastructure, Logging and Golden Signals agents on the server which will provide a better way to log authentication and
sudo invocations as well as provide some pattern tracking, alerting and telemetry. I used to call this email trick the poor persons observability, but New Relic is free for 100GB so there’s really no excuse to use a leading observability platform now.
However, let’s set up the poor person’s version just for grins. Create a new file for the
sudo nano /etc/sudoers.d/my_sudoers
Add the following to the file (remember to use your email address as Kaladin doesn’t like void bringers or spam):
Defaults mail_always Defaults mailto="[email protected]"
Set the permissions for the file:
sudo chmod 0440 /etc/sudoers.d/my_sudoers
Which should give you the following output if you run
ls -liah /etc/sudoers.d/my_sudoers :
1798 -r--r----- 1 root root 70 Jun 13 13:24 /etc/sudoers.d/my_sudoers
In order for this email alerting to work, you’ll need to install an MTA (mail transfer agent) server.
sendmail is a good choice:
sudo apt install sendmail
Try it out. You should now get an email anytime someone invokes
sudo on your server. Hint: make sure you set up filtering rules for your email client.