Setup Linode Server

Login as root user, add a user and give a secure password and fill details of the user and enter “y” if the information is correct or enter “n”

 # adduser username

Add User to sudoers group

 # usermod -aG sudo username

Disallow root login over SSH

When you log in as your own user account, programs you run are restricted from writing to the rest of the system – they can only write to your home folder. You can’t modify system files without gaining root permissions. This helps keep your computer secure. For example, if the Firefox browser had a security hole and you were running it as root, a malicious web page would be able to write to all files on your system, read files in other user account’s home folders, and replace system commands with compromised ones. In contrast, if you’re logged in as a limited user account, the malicious web page wouldn’t be able to do any of those things it would only be able to inflict damage in your home folder. While this could still cause problems, it’s much better than having your entire system compromised.
This also helps protect you against malicious or just plain buggy applications. For example, if you run an application that decides to delete all files it has access to (perhaps it contains a nasty bug), the application will wipe your home folder. This is bad, but if you have backups (which you should!), it’s fairly easy to restore the files in your home folder. However, if the application had root access, it could delete every single file on your hard drive, necessitating a full reinstall.

 
vi /etc/ssh/sshd_config 
 
# Authentication:
PermitRootLogin no

#Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

Restart SSH and login as user

 service ssh restart

Configure a Firewall

View your current iptables rules

sudo vi /tmp/v4
*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

Import the rulesets into immediate user:

 sudo iptables-restore < /tmp/v4

Iptables-persistent automates the loading iptables rules on boot for Ubuntu

 sudo apt-get install iptables-persistent

If you want to save current IPV4 answer yes to each prompt and remove the temporary rule files

sudo rm /tmp/v4

Recheck your firewall rules with the v option for a verbose

 sudo iptables -vL 

Restart apache

 sudo /etc/init.d/apache2 restart

Leave a Reply

Your email address will not be published. Required fields are marked *