In the last two tutorials, we’ve setup what this series is about and we’ve started the process by creating a new server, and have started to secure it some.
This tutorial we are going to take a look at adding a few more pieces to secure it and then we’ll start installing the LAMP stack.
**Note: This is a command-line heavy tutorial. You will be setting up a firewall to protect your server. Make sure you hit the last step to ensure you can still login once your IP Tables are set. If you can’t, you’ll need to go back to step one and drop the IP Tables and start again so that you don’t lock your self out of your server.
A little more Security please!
Alright, so the last tutorial we ended with creating a new user, giving the root privileges and changing the SSH port. We tested it to make sure our new user account could login, and ended there. I gave you some homework about looking into a couple other applications. Those aside we are going to spend a little bit of time building ourselves a firewall to help protect our server a little more.
A Basic Firewall
A new server does not have a firewall, so it’s essentially open for anyone to try and attack it, go through the various ports on a server with the various protocols.
We need to setup a firewall so that we can protect our server from intruders, so we’ll figure out what ports we actually need to have open to the world.
One of the reasons for using Ubuntu is that it comes with Iptables which is the distrubtion’s default firewall. Although it is configured to a degree, it is setup to allow all incoming and outgoing traffic on a VPS. So we need stronger protection here. We’ll just add some basic rules to the IP Table to help secure it.
IP Table rules come from a series of options that can be combined to create each specific process. Each packet that crosses the firewall is checked by each rule in order. As soon as it matches a rule, the packet follows the associated action, otherwise it proceeds down the line.
This tutorial is only going to cover a limited amount of command that would provide your server with some basic security. There are a variety of nuanced and specific cases that can be developed for the IP Table.
Creating the IP Table:
Alright so let’s SSH into our server and see the current rules of our server’s IP Table:
sudo iptables -L
I like to start fresh so that I know what I’m putting into my IP Tables, we can run the following command to flush and delete all of the current rules:
sudo iptables -F
Alright, so now that we’ve done this, we are letting all connections, both incoming and outgoing to our server. This means that our server is totally unsecure! As we build up our table, we need to keep in minde that as soon as a pack is ACCEPTED, REJECTED, or DROPPED, no further rules are processed. Therefore the rules that come first take priority over later ones.
When creating rules, we need to be sure to prevent ourselves from accidentally blocking SSH (our method of connecting to the server).
To start off, let’s be sure to allow all current connections, all of the connections at the time of making the rule, will stay online:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
I want to break this down for you a second.
1. -A tells the IP table to append a rule to the table.
2. INPUT designates this rule as part of the Input chain.
3. m conntrack followed by the –cstate ESTABLISHED,RELATED guarantees that the result of this rule will only apply to current connections and those related to them are allowed.
4. -j ACCEPT tells the packet to JUMP to accept and the connections are still in place
After we are assured that all the current connections to the VPS can stay up uninterrupted, we can proceed to start blocking off other insecure connections.
So we know that this server needs to have a few ports open, specifically the SSH port we changed, and port 80 since we are going to run web traffic (web pages and WordPress) on this server. If you remember we changed our SSH port in the previous tutorial, so we need to reference that port number so we make sure we’re letting our SSH traffic through still. We will then proceed by allowing all the traffic on the designated ports with the following commands:
sudo iptables -A INPUT -p tcp --dport 23049 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
In these commands I’ve introduced a few new options. The -p option stands for protocol in which the connection is being made, so in this case it is tcp, while the –dport specifies the port through which the packet is going to be transmitted.
Since we are setting up the IP Tables now, it’s a good time to think about what other protocols we might want to add to our firewall. Some other protocols I like to add are SFTP and FTP, also HTTPS. These port numbers are 23049 (which is the same as our SSH port), 22 (FTP), and 443 (HTTPS). Feel free to add these yourself if you’d like to add them.
Our final rule is to block all remaining traffic. We can do this by the following:
sudo iptables -A INPUT -j DROP
We are almost finished. However, we need to make sure we add one more rule. We need to make sure that we add a loopback access. If we were to simply leave it as is, it would go to the end of the list and since it would follow the rule to block all traffic, it would never be put into effect.
In order to prevent that from happening, we can make this the first rule in the list by using the INPUT option:
sudo iptables -I INPUT 1 -i lo -j ACCEPT
I”ll go ahead and break it down a little here for you.
1. -I INPUT 1 places this rule at the beginning of the table.
2. lo refers to the loopback interface (lo = loopback)
3. -j ACCEPT then guarantees that the loopback traffic will be accepted
Now that we have finished creating our basic firewall, we can take a look and see the details of the iptable by typing:
sudo iptables -L -v
We’re almost finished, however as soon as your server reboots, it will automatically wipe the IP tables. So we’ll do one more step to save and restore the IP tables.
Saving Your IP Tables
So even though the IP Tables are effective right now remember they will delete when your server reboots. So we are going to install a package called IP-Tables persistent.
Using apt-get we can install by:
sudo apt-get install iptables-persistent
During your installation, you will be asked if you want to save the iptable rules for both IPv4 rules and IPv6 rules. Just go ahead and say yes to both.
Your rules will be saved in:
Once your installation is complete, start iptables-persistent running:
sudo service iptables-persistent start
Now after any server reboot your rules will remain in place.
Last Important Step
This is the most important step in all of this. To make sure you can get back in!! Open another terminal window and try to ssh into your server. Yu will remember you can get in with something like this:
ssh -p 23049 firstname.lastname@example.org
If you can’t get in, you need to repeat back up to step one so that you can drop the IP tables.
This completes our tutorial on setting up a basic firewall. I know these steps can be a little daunting, but part of this series is to create your site for you from the ground up. We’ll be covering more WordPress/Headway specific things very shortly. Until next time, enjoy your new firewall!