Amazon Server Security

The following is a quick informal document outlining the steps that I took to secure an Amazon server running the Ubuntu 9.04 operating system. I have already written blog posts about securing Linux machines, however there are a few gotchas when doing this in a cloud environment.

Creating a user other than root

The machine that I deployed shipped with a root account to log in. The first thing I did was create a new user with less privileges. By default the root user is allowed to directly log in via ssh, this is not ideal.

useradd -s /bin/bash -d /home/newuser -m newuser

I then created a password for the new user

passwd newuser

Now before we go and disable direct root access via ssh and lock our selves completely out of our server for ever, lets have a think about what we just did. We have created a new user with a new home directory which has its own .ssh directory. With cloud computing you must have a key value pair (public and private key) in order to log in. Problem is the one that I created in Amazon web interface is sitting in the /root/.ssh directory of the virtual machine.

Creating a key value pair for the new user

We need to create a key value pair for the new user, the private key stays secure on the local machine and the public key gets copied to the the virtual machine by us.

Change to the /home/user/.ssh directory on your local machine type the following line and follow the prompts

ssh-keygen -v -t rsa

Copy the public key that you have just created to the virtual machine using the original root users account.

scp -v -i /path/to/original/amazon.pem /path/to/public/key/just/created/

Create a new file called authorized_keys in your /home/newuser/.ssh directory on the Amazon virtual machine if it does not already exist.

On the Amazon machine, append the contents of the file you have just copied over to the authorized_keys file.

cat >> ~.ssh/authorized_keys

Make sure that the RSAAuthentication and PubkeyAuthentication lines in the /etc/ssh/sshd_config file on the Amazon machine are both set to yes

Reload ssh

/etc/init.d/ssh reload

You should now be able to log in as the newly created user using its own key.

ssh -v -i ~/.ssh/id_rsa -l newuser

TCP Wrappers

Check that the system is using TCP wrappers by typing

ldd /usr/sbin/sshd | grep libwrap

If the output is => /usr/lib/

It will need the following settings implemented, open the /etc/hosts.allow file and add entries for specific ip ranges and services that are needed for example add…

sshd: 123.45.67. : allow

Note: adding the dot after the third set if numbers automatically allows the entire 67 (from 67.0 to 67.254)

Now open the /etc/hosts.deny and add the following

All : All : deny

Root password

It is very important to set a string root password

sudo passwd

I also disable direct root login (but make sure that you have access via another user first or you will never get back in)

Open the /etc/ssh/sshd_config file and change PermitRootLogin yes to PermitRootLogin no

Now restart sshd

/etc/init.d/sshd restart

System Firewall using Iptables

See this link IPtables on Ubuntu


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s