After you create a new Cloud Server, we recommend that you perform the following tasks to enhance security of the server:
Note: Small modifications to the commands below may be necesssary if you're using a different distribution. If necessary, refer to your operating system documentation.
As soon as you have your server's IP address and password, log in using the following SSH command:
Note: If you're logging into a rebuilt server, you may see a message that the "remote host identification has changed". When you rebuild a Cloud Server, the remote host key changes, which makes your computer think there is something suspicious or unusual going on. To avoid this issue, simply remove the older entry for the server IP. On your local computer, edit the SSH known_hosts file and remove any entries that point to your Cloud Server IP address using the following command:
If your local computer running an operating system other than Linux or OS X, the location of the known_hosts file will differ. Refer to your OS documention to learn the location of this file.
After logging into your server, change the root password and assign the admin user Super User privileges. To change the root password, issue the following command:
Note: After this initial step, you should not log in as root user to perform daily operations on your server. However, you'll need Super User (sudo) privileges to complete these administrative tasks.
demo ALL=(ALL) ALL
Press the key combination Ctrl-X to exit.
Press y to confirm the changes.
Press the Enter key to save the file as /etc/sudoers.tmp.
Note: You may find that while working in the nano editor, the backspace/delete key works backwards, deleting characters in front of the cursor rather than behind it. This can be resolved by editing the /etc/nanorc file (with nano, for example) and either uncommenting or adding the line:
The new behavior takes effect after the file has been saved and nano has been opened again.
One effective way of securing SSH access to your Cloud Server is to use a public/private key. This means that a public key is placed on the server and the private key is on your local workstation. This makes it impossible for someone to log in using just a password - they must have the private key. This consists of 3 basic steps: create the key on your local workstation, copy the public key to the Cloud Server, and set the correct permissions for the key.
The following instructions assume you use Linux or OS X. For Windows instructions, see Key generation using Putty for Windows.
ssh-keygen -t rsa
If you do not want a passphrase then just press enter when prompted.
The id_rsa and id_rsa.pub are created in the .ssh directory. The rsa.pub file holds the public key. You'll place this file on you server.
The id_rsa file is your private key. Never show, give away, or keep this file on a public computer.
You can use the scp command to place the public key your server.
scp ~/.ssh/id_rsa.pub email@example.com:/home/demo/
mv /home/demo/id_rsa.pub /home/demo/.ssh/authorized_keys
chown -R demo:demo /home/demo/.ssh
chmod 700 /home/demo/.ssh
chmod 600 /home/demo/.ssh/authorized_keys
Congratulations! You have now successfully created the key on your local computer, copied the public key to your Cloud Server, and set the correct permissions for the key.
Keeping the SSH service on the default port of 22 makes it an easy target. We recommend changing the default SSH configuration to make it more secure.
Port 22 <--- change to a port of your choosing
Note: The port number can be any integer between 1025 and 65536 (inclusive). Be sure to note the new port number and remember to avoid port conflicts if you later configure additional listening processes.
PasswordAuthentication has been turned off as we setup the public/private key earlier. If you intend to access your server from different computers, you may want to leave PasswordAuthentication set to yes. Only use the private key if the local computer is secure (i.e. don't put the private key on a work computer).
Note that these settings are not enabled yet. First you should create a simple firewall using
iptables before restarting ssh using the new port.
NOTE: Do not restart ssh yet.
The utility called iptables is the default firewall for Linux systems. It works by refusing connections to ports or services that you specify.
As part of this procedure, you'll open three ports: ssh, http, and https.
You'll then create two files:
The first is a set of temporary test rules and the second is the permanent set of rules iptables will use.
Note that you need to root user permissions to complete procedure. If you're not currently logged in as root, use the sudo command in front of the following commands.
You'll see something similar to this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This means the server is are accepting anything from anyone on any port.
Some people think that this is not dangerous if there are no services running on the server, and it doesn't matter that all ports are open. We disagree. If connections to unused (and popular) ports are blocked or dropped, then the vast majority of malicious intruders will move on to another machine where ports are accepting connections. It only takes a few minutes to set up a firewall - so we highly recommend that you do so to protect your server.
/etc/iptables.test.rulesand add some rules. If you have worked through these steps previously, this file may not be empty:
Change and add ports as necessary.
iptables-restore < /etc/iptables.test.rules
If there is no change in the output, repeat the previous steps and try again.
Check the rules and see exactly what is being accepted, rejected and dropped. When you're satisfied with the rules, save them permanently by issuing the following command:
iptables-save > /etc/iptables.up.rules
Note: If the server is rebooted before this step, the changes are lost and the server reverts to the previous settings.
Add the following lines to the new file:
/sbin/iptables-restore < /etc/iptables.up.rules
Save your changes, and then make the new script executable:
chmod +x /etc/network/if-pre-up.d/iptables
That should ensure that whenever your network interfaces are brought up (usually just at boot time), the firewall will be too.
If you are using a Red Hat distribution, iptables works a little differently. Using the commands below, you can change your iptables ruleset directly from the command line.
Use the following command to open port 80 for HTTP (web) traffic in your iptables firewall:
# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport http -j ACCEPT
Use the following command to open port 443 for Secure HTTP traffic:
# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport https -j ACCEPT
Though port 22 is open by default to allow you to SSH to your server after it is built, this command shows you how you would open port 22:
# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport ssh -j ACCEPT
FTP is a common service for file transfer, but it is largely obsolete due to the fact that it is not a secure protocol and we strongly recommend using a secure file transfer protocol like sftp. If you absolutely have to use FTP, use these commands to open the default port of 21.
# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport ftp -j ACCEPT
# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport ftp-data -j ACCEPT
If you need to make a remote connection to your MySQL database from another server, you will need to open port 3306 in iptables.
# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport mysql -j ACCEPT
Use the following command to save all the rules you’ve created. If not saved before your server is rebooted, the iptables ruleset will revert to the default ruleset blocking all traffic except on port 22!
# sudo /sbin/service iptables save
Your changes to iptables will not take effect until you save your rules, and then restart the iptables service. Remember, if you restart iptables before saving your rules, iptables will revert to the default ruleset!
# sudo /sbin/service iptables restart
Now we'll restart the ssh service. Make sure you stay logged in while you restart ssh and test it with a new connection. That way if something goes wrong you can troubleshoot it more easily.
On most distributions the service is "sshd", and you restart it with the command:
# sudo service sshd restart
On Ubuntu and some other distributions it's called "ssh", and is restarted with a similar command:
# sudo service ssh restart
If you have trouble making a new connection after restarting ssh, check the symptoms to see what may be wrong. If the connection times out, there may be a problem with the iptables config. If you get a warning about a private key, your key may not be installed on the server properly (check for extra linebreaks or characters that were missed in a copy and paste operation). If you've been rebuilding the server then you may need to remove the host key from your known hosts file before you can make a connection.
The incorrect configuration of SSH, sudo and/or iptables could cause you to be locked out of your system. If this occurs, please log into the The Rackspace Cloud Control Panel and use the Web Console or Rescue Mode to repair the configurations.
These are the basics of connecting to a Linux Cloud Server and setting up security. See Windows Cloud Server to be perform these steps on a Windows server.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License