How to Secure Linux - SSH & iptables Firewall Video

Get it off your chest – be the first to comment on this video!

How to Secure Linux - SSH & iptables Firewall - VPS BIBLE #6

Hey folks! Olly Connelly here at guvnr.com here if you want to drop me an email. Today, we are on to part six of our 20 part series setup and unmanage VPS the newbies VPS Bible, and we are going to harden the secure shell or SSH and create a firewall. You really should go to the blog at this stage because there are quite a lot in that series. And for this particular part, there’s a lot of data entry including this here. You can basically copy and paste and it will make like a lot easier for you. So we’re going to make a few alterations to the SSH configuration file. So to that, what you need to do is you’ve got to paste in from my site guvnr.com. See the nano—opening up a nano ply, and in we are. And so in here, you can see there’s a whole bunch of different bits that you can change and we all age going to indeed change some of these configuration settings. I will take through this. First of all, the port. You may remember when you open up a new instance of PuTTY first of all you’ve got your port number out here. Well we’re going to change that because 22 is the default and it’s just another way to help the hackers find you and all the rest of it. So change it pretty much to what you like so that’s the first thing and then you want to scroll down to something called permit root log-in, change that. At the moment it says yes you want to change it to no. That makes root log-in impossible so you can no longer log in as root which is basically just another little security thing. Possible authentication and that says yes activate that as possible authentication no, which means that nobody can log in into your Linux VPS box with a password any longer. You have to use your secure tunnel connection using your authentication keys that we setup in the last part. If you think you might want to access your line from a different computer, then you will need your password to get in, and you should leave that as it was. The next thing to change is X11 Forwarding. At the moment it says, “Yes”. We’re just going to change that into No. That’s a protocol which enables a GUI option. And then at the bottom of the very bottom, it says “usePAM- yes”. We’ll we’re going to change that to no. That’s a password authentication agent that we are not going to be using. So that’s fine. Now, there are two other lines that we’re going to add to this file. The first one is Used DNS—no, which prevents reverse host look up problems and we’re also going to allow our user that we created a couple of tutorials ago. And so allow users in my case its guvnr. So you put in whatever your username is there. If you're going to have more users, obviously you want to add extra names; you can just put a space in and then put another username or whatever. So we will reload out SSH in a minute, but first of all we’re just going to close it. Just go Ctrl X and then hit ‘Y’ for yes and then we’re going to be able to write in the old folder and that’s fine. But before we actually reload it to set those settings in motion, we are going to setup a firewall using what we call IP tables and that’s basically sort of a firewall and it kind of like routine service pretty much which is—basically it’s a bunch of rules. So to get in—to be able to do this kind of stuff you need to be what is called a super user, which basically gives you sweeping permissions. It basically means that you’re effectively rooted. And so when do that, you have to put in your root password. And the first thing we want to do is we want to save the pre-existing rule set. And if that happens to you it’s probably because we haven’t yet installed the IP tables. So what you need to do is type in aptitude install IPtables. Maybe it will work for you anyway. But probably if your line may be using Linode, doing exactly what I've been doing with this tutorial series then it won’t work for you. And so you need to type in aptitude install IPtables, again that’s on my site and then it will read back building dependency tree and it will install. Okay that’s done. And so now, what we can do is we can do all the things we’re trying to do before. Our IP tables are saved—basically, it’s going to save the pre-existing rule set for the IP tables, and we then need to create a new file using our nano text editor inside the folder. And there it is, and we need to paste quite a lot of stuff in there. What I would suggest you do is go to my site, it’s all down here if you just click on that icon there it brings it all up. Just copy the lot and then go back and paste it. By the way, pasting in nano, right click on your mouse and it will paste. If you try Ctrl V it won’t work. And then you go Ctrl X to exit, just click Y for yes and then that’s all saved just to show you that it is. One other thing actually, there is change that you need to make in this file, and that is with the port. You can see as PuTTY configuration we’ve got this port now we changed that didn’t we in out SSH, I changed mine if you remember the 54321. So I need to basically substitute here if you look for the line and you just change that port to default to whatever port number you chose, and then I’ll save that again and there we go. And to actually execute on your rule set, there’s a bunch of stuff that you need to paste which again you’ll find on my site and there we go. So that’s all very well. But we need to make sure that these new rules are remembered every time we reboot. Open up another file using nano again, the interface’s file and in here after that line iface lo inet loopback you need to add this line here and then just save that file and we’re ready to test. Now, what we need to do first of all is to reload our SSH configuration and so we need to paste in this line here and then click return. So you need to open up PuTTY and then what you need to do is to click on the saved to session profile that we created last time around and then click load and then you just need to change that port number to whatever new port number we’ve got and then click on save. And double click on whatever session name is and it should come up. You’ve got a warning, don’t worry about that just go ‘Yes’ that’s fine and we’re in. It’s as simple as that. So now we’ve secured our Linux box with the tweaking of few particles and we’ve added a pretty basic but pretty strong firewall. I hope that has been useful. If it has, do me a favor if you're in the video site or whatever drop me a comment or subscribe to my feed. Or you can run a search for VPS that will take you to a whole bunch of post relating to this series or you can just find the index then you can click through whichever parts are relevant to you. If you really want to you can grab a feed via email or RSS. All the best!

No Links were listed yet. Go ahead and share!

Hey folks! Olly Connelly here at guvnr.com here if you want to drop me an email. Today, we are on to part six of our 20 part series setup and unmanage VPS the newbies VPS Bible, and we are going to harden the secure shell or SSH and create a firewall. You really should go to the blog at this stage because there are quite a lot in that series. And for this particular part, there’s a lot of data entry including this here. You can basically copy and paste and it will make like a lot easier for you.

So we’re going to make a few alterations to the SSH configuration file. So to that, what you need to do is you’ve got to paste in from my site guvnr.com. See the nano—opening up a nano ply, and in we are. And so in here, you can see there’s a whole bunch of different bits that you can change and we all age going to indeed change some of these configuration settings. I will take through this.

First of all, the port. You may remember when you open up a new instance of PuTTY first of all you’ve got your port number out here. Well we’re going to change that because 22 is the default and it’s just another way to help the hackers find you and all the rest of it. So change it pretty much to what you like so that’s the first thing and then you want to scroll down to something called permit root log-in, change that. At the moment it says yes you want to change it to no. That makes root log-in impossible so you can no longer log in as root which is basically just another little security thing.

Possible authentication and that says yes activate that as possible authentication no, which means that nobody can log in into your Linux VPS box with a password any longer. You have to use your secure tunnel connection using your authentication keys that we setup in the last part. If you think you might want to access your line from a different computer, then you will need your password to get in, and you should leave that as it was.

The next thing to change is X11 Forwarding. At the moment it says, “Yes”. We’re just going to change that into No. That’s a protocol which enables a GUI option. And then at the bottom of the very bottom, it says “usePAM- yes”. We’ll we’re going to change that to no. That’s a password authentication agent that we are not going to be using. So that’s fine. Now, there are two other lines that we’re going to add to this file. The first one is Used DNS—no, which prevents reverse host look up problems and we’re also going to allow our user that we created a couple of tutorials ago. And so allow users in my case its guvnr. So you put in whatever your username is there. If you're going to have more users, obviously you want to add extra names; you can just put a space in and then put another username or whatever.

So we will reload out SSH in a minute, but first of all we’re just going to close it. Just go Ctrl X and then hit ‘Y’ for yes and then we’re going to be able to write in the old folder and that’s fine. But before we actually reload it to set those settings in motion, we are going to setup a firewall using what we call IP tables and that’s basically sort of a firewall and it kind of like routine service pretty much which is—basically it’s a bunch of rules. So to get in—to be able to do this kind of stuff you need to be what is called a super user, which basically gives you sweeping permissions. It basically means that you’re effectively rooted. And so when do that, you have to put in your root password. And the first thing we want to do is we want to save the pre-existing rule set. And if that happens to you it’s probably because we haven’t yet installed the IP tables.

So what you need to do is type in aptitude install IPtables. Maybe it will work for you anyway. But probably if your line may be using Linode, doing exactly what I've been doing with this tutorial series then it won’t work for you. And so you need to type in aptitude install IPtables, again that’s on my site and then it will read back building dependency tree and it will install. Okay that’s done.

And so now, what we can do is we can do all the things we’re trying to do before. Our IP tables are saved—basically, it’s going to save the pre-existing rule set for the IP tables, and we then need to create a new file using our nano text editor inside the folder. And there it is, and we need to paste quite a lot of stuff in there. What I would suggest you do is go to my site, it’s all down here if you just click on that icon there it brings it all up. Just copy the lot and then go back and paste it. By the way, pasting in nano, right click on your mouse and it will paste. If you try Ctrl V it won’t work. And then you go Ctrl X to exit, just click Y for yes and then that’s all saved just to show you that it is.

One other thing actually, there is change that you need to make in this file, and that is with the port. You can see as PuTTY configuration we’ve got this port now we changed that didn’t we in out SSH, I changed mine if you remember the 54321. So I need to basically substitute here if you look for the line and you just change that port to default to whatever port number you chose, and then I’ll save that again and there we go. And to actually execute on your rule set, there’s a bunch of stuff that you need to paste which again you’ll find on my site and there we go. So that’s all very well. But we need to make sure that these new rules are remembered every time we reboot.

Open up another file using nano again, the interface’s file and in here after that line iface lo inet loopback you need to add this line here and then just save that file and we’re ready to test. Now, what we need to do first of all is to reload our SSH configuration and so we need to paste in this line here and then click return. So you need to open up PuTTY and then what you need to do is to click on the saved to session profile that we created last time around and then click load and then you just need to change that port number to whatever new port number we’ve got and then click on save. And double click on whatever session name is and it should come up. You’ve got a warning, don’t worry about that just go ‘Yes’ that’s fine and we’re in. It’s as simple as that.

So now we’ve secured our Linux box with the tweaking of few particles and we’ve added a pretty basic but pretty strong firewall. I hope that has been useful. If it has, do me a favor if you're in the video site or whatever drop me a comment or subscribe to my feed. Or you can run a search for VPS that will take you to a whole bunch of post relating to this series or you can just find the index then you can click through whichever parts are relevant to you. If you really want to you can grab a feed via email or RSS. All the best!

Transcription by: Scribe4you Transcription Services