03 Ubuntu 20.04 LTS Advanced Security Setup

At this point, you’ve set up your Ubuntu server and added some initial security. There are three more things I like to do when setting up an Ubuntu server.

  1. Add a Firewall using IP Tables
  2. Install Fail2Ban
  3. Setup email alerts anytime a user invokes sudo

Add a Firewall Using IP Tables

Currently, the firewall has no rules yet. Check it out:

sudo iptables -L
sudo ip6tables -L

The above commands should show little to no firewall restrictions.

We need to install a package which enables persistent firewall rules. This means that the firewall rules will get automatically applied at server startup:

sudo apt install iptables-persistent

The above command should bring up a dialog that looks something like this:

  ──────────────| Configuring iptables-persistent ├──────────────┐
 │                                                               │
 │ Current iptables rules can be saved to the configuration      │
 │ file /etc/iptables/rules.v4. These rules will then be loaded  │
 │ automatically during system startup.                          │
 │                                                               │
 │ Rules are only saved automatically during package             │
 │ installation. See the manual page of iptables-save(8) for     │
 │ instructions on keeping the rules file up-to-date.            │
 │                                                               │
 │ Save current IPv4 rules?                                      │
 │                                                               │
 │                <Yes>                   <No>                   │
 │                                                               |

Agree to have the current rules installed into /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

Setup the IPv4 firewall rules in/etc/iptables/rules.v4:

sudo nano /etc/iptables/rules.v4

Paste the following into /etc/iptables/rules.v4:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 333 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Setup the IPv6 firewall rules in /etc/iptables/rules.v6:

sudo nano /etc/iptables/rules.v6

Paste the following into /etc/iptables/rules.v6:

*filter

# Accept established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback interface traffic
-A INPUT -i lo -j ACCEPT

# Reject non-loopback interface traffic to loopback IP addresses
-A INPUT ! -i lo -d ::1/128 -j REJECT

# Allow outbound traffic
-A OUTPUT -j ACCEPT

# Allow ping
-A INPUT -p icmpv6 -m state --state NEW -m icmpv6 --icmpv6-type 8 -j ACCEPT

# Log denied connections
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound and forward traffic (default deny unless explicitly allowed)
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Activate the firewall v4 and v6 rules now:

sudo iptables-restore &lt; /etc/iptables/rules.v4 &amp;&amp; sudo ip6tables-restore &lt; /etc/iptables/rules.v6

Verify that the rules were installed correctly:

sudo iptables -L

Restart the server and confirm that the rules are still in place. You can shut down the server from the command line by typing :

sudo shutdown -r -h +0

Bring the server back up and check that the IP Tables are still in place by running the now familiar command:

sudo iptables -L

If everything looks like what you expected, then let’s move on to setting up Fail2Ban.

Fail2Ban

Fail2Ban is a tool that monitors log files and bans IP addresses that indicate likely maleficence. Things like too many failed authentication attempts or seeking for exploits would put an IP on the fail2ban list.

Install

First we need to install the package:

sudo apt install fail2ban

Configure

Now we can configure the tool by creating a jail.local file which will override defaults found in /etc/fail2ban/jail.conf. Run the following to create the empty jail.local file:

sudo nano /etc/fail2ban/jail.local

Now add the following configuration to the file which will send an email labeled as from Fail2Ban whenever there are spurious IPs presenting themselves. Remember to add your own email address and if you used a different ssh port than the default 22 use that here (remember we used 333 in the earlier posts).

[DEFAULT]
destemail = [email protected]
sendername = Fail2Ban

[sshd]
enabled = true
port = 333

[sshd-ddos]
enabled = true
port = 333

Now save the file and restart Fail2Ban to put the new rules into effect:

sudo systemctl restart fail2ban

Email Alerts for Sudo Invocations

Anytime someone uses sudo on the server, we want an email to be sent documenting the invocation and some context around it. If you’re not using observability services like New Relic, this is an ad hoc paper trail that will provide a record should anything bad happen on the server.

In a future post we’ll provide a tutorial on setting up New Relic’s Infrastructure, Logging and Golden Signals agents on the server which will provide a better way to log authentication and sudo invocations as well as provide some pattern tracking, alerting and telemetry. I used to call this email trick the poor persons observability, but New Relic is free for 100GB so there’s really no excuse to use a leading observability platform now.

However, let’s set up the poor person’s version just for grins. Create a new file for the sudo settings:

sudo nano /etc/sudoers.d/my_sudoers

Add the following to the file (remember to use your email address as Kaladin doesn’t like void bringers or spam):

Defaults    mail_always
Defaults    mailto="[email protected]"

Set the permissions for the file:

sudo chmod 0440 /etc/sudoers.d/my_sudoers

Which should give you the following output if you run ls -liah /etc/sudoers.d/my_sudoers :

1798 -r--r----- 1 root root 70 Jun 13 13:24 /etc/sudoers.d/my_sudoers

In order for this email alerting to work, you’ll need to install an MTA (mail transfer agent) server. sendmail is a good choice:

sudo apt install sendmail

Try it out. You should now get an email anytime someone invokes sudo on your server. Hint: make sure you set up filtering rules for your email client.

1 comment

Comments are closed.