• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Feedback

Let us know what you think of our Knowledge Center!

Open Cloud Community

Learn about Rackspace products, ask questions, and share your knowledge in our Open Cloud Community.

Configuring Basic Security

  • Article ID: 1501
  • Last updated on February 20, 2013
  • Authored by: Rackspace Support
  • (30 Comments)

After you create a new Cloud Server, we recommend that you perform the following tasks to enhance security of the server: 

  1. Log into Your Server
  2. Change the Root Password
  3. Add an Admin User
  4. Setup Public and Private Keys
  5. Modify the SSH Configuration
  6. Set Up a Private Firewall Using iptables in Ubuntu or Set Up a Private Firewall Using iptables in RedHat

Note: Small modifications to the commands below may be necesssary if you're using a different distribution. If necessary, refer to your operating system documentation.

Log into Your Server

As soon as you have your server's IP address and password, log in using the following SSH command:

ssh root@123.45.67.890

Note: If you're logging into a rebuilt server, you may see a message that the "remote host identification has changed". When you rebuild a Cloud Server, the remote host key changes, which makes your computer think there is something suspicious or unusual going on. To avoid this issue, simply remove the older entry for the server IP. On your local computer, edit the SSH known_hosts file and remove any entries that point to your Cloud Server IP address using the following command:

nano ~/.ssh/known_hosts

If your local computer running an operating system other than Linux or OS X, the location of the known_hosts file will differ. Refer to your OS documention to learn the location of this file.

Change the Root Password

After logging into your server, change the root password and assign the admin user Super User privileges. To change the root password, issue the following command:

passwd

Add an Admin User

  1. To add an admin user, issue the following command and replace with "demo" the user name of your choice:
adduser demo

Note: After this initial step, you should not log in as root user to perform daily operations on your server. However, you'll need Super User (sudo) privileges to complete these administrative tasks.

  1. To assign the admin user sudo privileges, issue the following command, which invokes the nano editor by default on Ubuntu:
visudo
  1. At the end of the file add your administravie user name (in place of our example "demo" user below) and the following text string:
demo   ALL=(ALL) ALL
  1.  When you are finished adding this line, exit, confirm, and save the file, using these commands:

Press the key combination Ctrl-X to exit.

Press y to confirm the changes.

Press the Enter key to save the file as /etc/sudoers.tmp.

Note: You may find that while working in the nano editor, the backspace/delete key works backwards, deleting characters in front of the cursor rather than behind it. This can be resolved by editing the /etc/nanorc file (with nano, for example) and either uncommenting or adding the line:

set rebinddelete

 The new behavior takes effect after the file has been saved and nano has been opened again.

Set Up Public and Private Keys (SSH keygen)

One effective way of securing SSH access to your Cloud Server is to use a public/private key. This means that a public key is placed on the server and the private key is on your local workstation. This makes it impossible for someone to log in using just a password - they must have the private key. This consists of 3 basic steps: create the key on your local workstation, copy the public key to the Cloud Server, and set the correct permissions for the key. 

The following instructions assume you use Linux or OS X. For Windows instructions, see Key generation using Putty for Windows.

Step 1. Create the Public and Private Keys

  • Create a folder to hold your keys on your LOCAL workstation:
mkdir ~/.ssh
  • To create the ssh keys, on your local workstation enter:
ssh-keygen -t rsa

If you do not want a passphrase then just press enter when prompted.

The id_rsa and id_rsa.pub are created in the .ssh directory. The rsa.pub file holds the public key. You'll place this file on you server.

The id_rsa file is your private key. Never show, give away, or keep this file on a public computer.

Step 2. Copy the Public Key

You can use the scp command to place the public key your server. 

  1. While still on your local computer enter this command, substituting your admin user for "demo" below:
scp ~/.ssh/id_rsa.pub demo@123.45.67.890:/home/demo/
  1. When prompted, enter the admin user password.
  2. Change the IP address to your server and the location to your admin user's home directory (remember the admin user in this example is called demo).

Step 3. Modify SSH Permissions

  1. Create a directory on the admin user's home folder on your server called .ssh and move the pub key into it, as shown in the following examples:
mkdir /home/demo/.ssh
 mv /home/demo/id_rsa.pub /home/demo/.ssh/authorized_keys
  1. Set the correct permissions on the key using the following commands, changing the "demo" user and group to your admin user and group:
chown -R demo:demo /home/demo/.ssh
 chmod 700 /home/demo/.ssh
 chmod 600 /home/demo/.ssh/authorized_keys

Congratulations! You have now successfully created the key on your local computer, copied the public key to your Cloud Server, and set the correct permissions for the key. 

Modify the SSH Configuration

Keeping the SSH service on the default port of 22 makes it an easy target. We recommend changing the default SSH configuration to make it more secure. 

  1. Issue the following command:
nano /etc/ssh/sshd_config
  1. Modify, check, and add the following values: 
Port 22                           <--- change to a port of your choosing
 Protocol 2
 PermitRootLogin no
 PasswordAuthentication no
 UseDNS no
 AllowUsers demo
  1. Change the default port of 22 to one of your choosing, turn off root logins, and define which users can log in.

Note: The port number can be any integer between 1025 and 65536 (inclusive). Be sure to note the new port number and remember to avoid port conflicts if you later configure additional listening processes.

PasswordAuthentication has been turned off as we setup the public/private key earlier. If you intend to access your server from different computers, you may want to leave PasswordAuthentication set to yes. Only use the private key if the local computer is secure (i.e. don't put the private key on a work computer).

Note that these settings are not enabled yet. First you should create a simple firewall using iptables before restarting ssh using the new port.

NOTE: Do not restart ssh yet.

Set Up a Private Firewall Using iptables in Ubuntu

The utility called iptables is the default firewall for Linux systems. It works by refusing connections to ports or services that you specify. 

As part of this procedure, you'll open three ports: sshhttp, and https. 

You'll then create two files:

  • /etc/iptables.test.rules

  • /etc/iptables.up.rules

The first is a set of temporary test rules and the second is the permanent set of rules iptables will use.

Note that you need to root user permissions to complete procedure. If you're not currently logged in as root, use the sudo command in front of the following commands.

  1. Issue the following command to see what's currently running:
iptables -L

You'll see something similar to this:

Chain INPUT (policy ACCEPT)
 target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination

This means the server is are accepting anything from anyone on any port.

Some people think that this is not dangerous if there are no services running on the server, and it doesn't matter that all ports are open. We disagree. If connections to unused (and popular) ports are blocked or dropped, then the vast majority of malicious intruders will move on to another machine where ports are accepting connections. It only takes a few minutes to set up a firewall - so we highly recommend that you do so to protect your server.

  1. To build the firewall, create the file /etc/iptables.test.rules and add some rules. If you have worked through these steps previously, this file may not be empty:
nano /etc/iptables.test.rules

Change and add ports as necessary.

  1. Issue the following command to apply the rules to our server:
iptables-restore < /etc/iptables.test.rules
  1. Issue the following command to note any differences:
iptables -L

If there is no change in the output, repeat the previous steps and try again.

Check the rules and see exactly what is being accepted, rejected and dropped. When you're satisfied with the rules, save them permanently by issuing the following command:

iptables-save > /etc/iptables.up.rules

Note: If the server is rebooted before this step, the changes are lost and the server reverts to the previous settings.

  1. Add a small script that the system will run when your network interfaces are started. Create the file by running:
nano /etc/network/if-pre-up.d/iptables

Add the following lines to the new file:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

Save your changes, and then make the new script executable:

chmod +x /etc/network/if-pre-up.d/iptables

That should ensure that whenever your network interfaces are brought up (usually just at boot time), the firewall will be too.

iptables in Red Hat

If you are using a Red Hat distribution, iptables works a little differently.  Using the commands below, you can change your iptables ruleset directly from the command line.

HTTP - Port 80

Use the following command to open port 80 for HTTP (web) traffic in your iptables firewall:

# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport http -j ACCEPT

HTTPS/SSL - Port 443

Use the following command to open port 443 for Secure HTTP traffic:

# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport https -j ACCEPT

SSH - Port 22

Though port 22 is open by default to allow you to SSH to your server after it is built, this command shows you how you would open port 22:

# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport ssh -j ACCEPT

FTP - Port 21

FTP is a common service for file transfer, but it is largely obsolete due to the fact that it is not a secure protocol and we strongly recommend using a secure file transfer protocol like sftp.  If you absolutely have to use FTP, use these commands to open the default port of 21.

# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport ftp -j ACCEPT
 # sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport ftp-data -j ACCEPT

MySQL - Port 3306

If you need to make a remote connection to your MySQL database from another server, you will need to open port 3306 in iptables.

# sudo /sbin/iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport mysql -j ACCEPT

Saving Your Rules

Use the following command to save all the rules you’ve created.  If not saved before your server is rebooted, the iptables ruleset will revert to the default ruleset blocking all traffic except on port 22!

# sudo /sbin/service iptables save

Restarting iptables

Your changes to iptables will not take effect until you save your rules, and then restart the iptables service.  Remember, if you restart iptables before saving your rules, iptables will revert to the default ruleset!

# sudo /sbin/service iptables restart

Restarting ssh

Now we'll restart the ssh service.  Make sure you stay logged in while you restart ssh and test it with a new connection.  That way if something goes wrong you can troubleshoot it more easily.

On most distributions the service is "sshd", and you restart it with the command:

# sudo service sshd restart

On Ubuntu and some other distributions it's called "ssh", and is restarted with a similar command:

# sudo service ssh restart

If you have trouble making a new connection after restarting ssh, check the symptoms to see what may be wrong.  If the connection times out, there may be a problem with the iptables config.  If you get a warning about a private key, your key may not be installed on the server properly (check for extra linebreaks or characters that were missed in a copy and paste operation).  If you've been rebuilding the server then you may need to remove the host key from your known hosts file before you can make a connection.

If you're locked out...

The incorrect configuration of SSH, sudo and/or iptables could cause you to be locked out of your system.  If this occurs, please log into the The Rackspace Cloud Control Panel and use the Web Console or Rescue Mode to repair the configurations.

These are the basics of connecting to a Linux Cloud Server and setting up security.  See Windows Cloud Server to be perform these steps on a Windows server.



© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER

30 Comments

ufw allow 22; ufw allow 80; ufw allow 443; ufw enable

https://help.ubuntu.com/12.04/serverguide/firewall.html

'shorewall' is also easy and useful for more complicated configurations.
By Anonymous on Aug. 1, 2012

This was very useful. Thanks!
By Anonymous on Aug. 3, 2012

thanks for the article. for iptables rules, i used the below link from debian wiki, hope it will be useful for other novice beginners like me (and hopefully no hacker reads this and comes to know that i'm novice at setting up servers lol
http://www.linode.com/wiki/index.php/Configuring_IPtables_on_ubuntu_server
By Anonymous on Aug. 8, 2012

I tried the steps above on Ubuntu 12.04 and still had to use my password to log in. Additional steps are found here:
http://lani78.wordpress.com/2008/08/08/generate-a-ssh-key-and-disable-password-authentication-on-ubuntu-server/
By Chris Brown on Aug. 10, 2012

Odd. At a glance they appear to cover the same steps as this article. We'll look at it more closely to make sure there isn't something unusual that needs to be done for Ubuntu 12.04.
By jered.heeschen on Aug. 11, 2012

http://articles.slicehost.com/2008/11/28/ubuntu-intrepid-setup-page-1

Wonder who copied who?
By Jurgen on Aug. 23, 2012

Rackspace owns Slicehost, so there has been content sharing between the two knowledge bases. There's nothing nefarious there - Rackspace technically owns the content. Indeed, you'll see my name all over the Slicehost articles site still, both as an author and replying to comments. And PickledOnion, who wrote most of the Slicehost articles, is in a management position with this Knowledge center under his umbrella. ;)
By jered.heeschen on Aug. 23, 2012

This guide was great. And the ufw makes the process a bit easier - perhaps consider adding that to the main guide
By BacklineInteracive on Aug. 30, 2012

I like the idea of using the firewall as a simple whitelist, and using ufw makes this process much simpler.
By Roy Ronalds on Jun. 13, 2013

I've found the easiest way to handle firewall config on CentOS or Red Hat is to use system-config-firewall-tui. In stall it with <b>yum install system-config-firewall</b> and then just run the command system-config-firewall-tui. It's a text-driven user interface that allows you to select the ports/protocols you would like open or closed. Pretty convenient.
By Ed on Sep. 2, 2012

Thanks for this.
By Victor J on Dec. 10, 2012

We ran through this setup and people not using this computer (without the key) are still able to shell in using only the UN/PW. Might want to check what's missing from these instructions.
By Tracy on Sep. 14, 2012

If you can still log in via ssh using a password, that means either that PasswordAuthentication is set to "yes" in the sshd config or it means that you haven't restarted sshd since making the config change.
By jered.heeschen on Sep. 26, 2012

All,

I think this is a pretty disappointing service. There are a number of platforms out there that allow you to manage this from a web console. The fact is, rackspace are making this seem harder to do than it is to push people to the managed server option. Disappointing.

James
By James on Sep. 17, 2012

The Cloud Server instances we provide are barebones servers. That means the Linux servers are basic images - the bare minimum you would get on a fresh server install. You can install cPanel or similar services on your server from that point. Not everyone wants those sorts of extras on their servers so we leave it up to the customer how they use the server once it's created.

Rather than trying to make locking a server down seem harder than it is, we provide articles like this one to help make those operations easier on a barebones server. Admittedly, we need to update this article with some ufw instructions to make the Ubuntu side easier, but there isn't a hidden agenda on the KC. The support articles are not written by salespeople.
By jered.heeschen on Sep. 26, 2012

I'm not going to explicitly stick up for the service as there are definitely things that could be improved - but if you want those tools, you should be using a service that provides them. Rackspace doesn't claim to provide those - nor is it aligned with what they're offering. They give you completely fresh servers which you can customize to your wits end. Personally, I prefer the power of this over being locked down on waht you can do with the server just for some convenience.

It's totally a matter of choice and what you value. Lots of people need to rent cheap servers - with zero software installed - and customize. I fall into that bracket, so I think Rackspace is pretty damn sweet. Totally matters about what your capabilities are with managing servers.
By Jon on Nov. 8, 2012

Followed these instructions and couldn't get it to work; double checked and still won't work. When I change ssh_config entry for PasswordAuthentication to 'yes" I am able to log in. Something is obviously missing. Might try following your own instructions exactly to see what you need to add.

(On OSX 10.7.4
By Tracy on Sep. 18, 2012

If PasswordAuthentication is set to "no", that means that ssh will only allow a connection using a private key. There may have been a problem with your key, or the way the public key was pasted on the server. I know I've sometimes had a rogue carriage return or an omitted character in the paste, which can cause a problem like that. Enabling the password authentication allowed you to bypass the key issue.
By jered.heeschen on Sep. 26, 2012

I was getting a "server refused our key error" when logging in using putty. I followed these instructions which resolved it for me.

http://www.walkernews.net/2009/03/22/how-to-fix-server-refused-our-key-error-that-caused-by-putty-generated-rsa-public-key/
By James on Jan. 19, 2013

Hello,

I fully agree with your position of keeping the ports that you don't use closed with the firewall. Keep in mind that this should also apply to IPv6. The document can be updated easily with the ip6tables commands (which are analogous to the IPv4 ones).

Best regards,

Jorge
By Jorge on Dec. 11, 2012

Good point, Jorge. Thanks for letting us know. We'll plan on getting this updated for IPv6.
By jered.heeschen on Dec. 11, 2012

Hello!

I did this tutorial, but when i try to have acces to my server via terminal is not posibble, neither using the port i described as 1110

Macintosh-8:~ felipevelasquez$ ssh root@198.101.244.234 -p 1110
ssh: connect to host 198.101.244.234 port 1110: Operation timed out

As you see im using terminal in a mac with leopard,

Any option?
By felipe on Feb. 16, 2013

Your iptables rules might not have been set up to allow connections to the new port. Connect to the server via the web console (accessible in the Cloud Control Panel) and then run "iptables -L". Check to see if port 1110 has an "allow" rule in place, and if not, check the article for instructions on adding one.

It's also worth noting that if you follow the article or use its sample config, root logins are disallowed via SSH. You might need to either create a new user that you can use for ssh purposes (recommended) or change the sshd config to allow root logins.
By jered.heeschen on Feb. 17, 2013

Do these instructions apply to a Cloud server that uses RackConnect? Or is a different process involved with configuring the system firewall?
By Bob Virkus on Mar. 21, 2013

You'll want to make a couple modifications to the above for RackConnect. Full details are in their Best Practices article here:

http://www.rackspace.com/knowledge_center/article/rackconnect-best-practices

For RackConnect you'll want to leave ssh on port 22, not disable password authentication, add the "rackconnect" user to the permitted list of ssh users, and delay blocking root login via ssh until after the RackConnect setup process is complete.
By jered.heeschen on Mar. 21, 2013

It appears that Debian 7 is coming out of the stock image without the sudo package ... so you would need to do an "aptitude install sudo" before doing the "visudo" above.
By Tobin on May. 24, 2013

Thanks Tobin. We'll see if that image will be updated to include sudo - if not, then we'll add the package installation instructions to this article.
By jered.heeschen on May. 24, 2013

When I created the server, a tech told me that I should immediately disallow root login by ssh. I didn't know how and found this helpful article. When I opened /etc/ssh/sshd_config, I read the following comment at the top of the file:

"When connecting to your server, Rackspace will login as the user 'rack' using PasswordAuthentication on port 22. To ensure that we have access to your server in times of need, we request that you do not change these configurations. In addition, rebuilding or building a new server from a snapshot will require that root logins are enabled via 'PermitRootLogin yes'. If you insist on changing these values, please speak with an administrator at Rackspace to do so in a way that does not impact our ability to provide you with Fanatical Support."

This article and the tech both advise me to do what this comment advises not doing. I just purchased a managed server and was hoping to avoid these confusing admin issues. I guess I ignore the tech and this article?
By Joe Lapp on May. 30, 2013

I'll check into the "rack" user and the instructions in that config file, but you shouldn't need to allow root logins to have the server rebuilt. I'd recommend turning that off at least, leaving the PasswordAuthentication on until I confirm that config, and adding the "rack" user to the "AllowUsers" line.
By jered.heeschen on May. 30, 2013

I'm told the part about root ssh being required to rebuild from a saved image is also true. Sorry about that.

Since the administrative activity would come from specific addresses, it's possible to limit password-based authentication with these lines in the ssdh_config file:

# disable password authentication globally
PasswordAuthentication no

# re-enable password authentication for particular IP addresses
Match Address 72.3.128.84,69.20.0.1,50.57.22.125,120.136.34.22,212.100.225.49,212.100.225.42,67.192.155.96/27,120.136.33.192/27,69.20.80.0/28,72.4.123.216,89.234.21.64/28,173.203.5.160/27,173.203.32.136/29,64.49.200.192/27,166.78.7.146,50.56.249.239,166.78.107.18,162.209.4.155,95.138.174.55,162.13.1.53,119.9.12.91,119.9.12.98
PasswordAuthentication yes
By jered.heeschen on May. 30, 2013

Add new comment