The following is a quick informal document outlining the steps that I took to secure an Amazon server running the Ubuntu 9.04 operating system. I have already written blog posts about securing Linux machines, however there are a few gotchas when doing this in a cloud environment.
The machine that I deployed shipped with a root account to log in. The first thing I did was create a new user with less privileges. By default the root user is allowed to directly log in via ssh, this is not ideal.
useradd -s /bin/bash -d /home/newuser -m newuser
I then created a password for the new user
Now before we go and disable direct root access via ssh and lock our selves completely out of our server for ever, lets have a think about what we just did. We have created a new user with a new home directory which has its own .ssh directory. With cloud computing you must have a key value pair (public and private key) in order to log in. Problem is the one that I created in Amazon web interface is sitting in the /root/.ssh directory of the virtual machine.
We need to create a key value pair for the new user, the private key stays secure on the local machine and the public key gets copied to the the virtual machine by us.
Change to the /home/user/.ssh directory on your local machine type the following line and follow the prompts
ssh-keygen -v -t rsa
Copy the public key that you have just created to the virtual machine using the original root users account.
scp -v -i /path/to/original/amazon.pem /path/to/public/key/just/created/id_rsa.pub email@example.com:/home
Create a new file called authorized_keys in your /home/newuser/.ssh directory on the Amazon virtual machine if it does not already exist.
On the Amazon machine, append the contents of the file you have just copied over to the authorized_keys file.
cat id_rsa.pub >> ~.ssh/authorized_keys
Make sure that the RSAAuthentication and PubkeyAuthentication lines in the /etc/ssh/sshd_config file on the Amazon machine are both set to “yes”
You should now be able to log in as the newly created user using its own key.
ssh -v -i ~/.ssh/id_rsa -l newuser yourserver.com
Check that the system is using TCP wrappers by typing
ldd /usr/sbin/sshd | grep libwrap
If the output is
libwrap.so.0 => /usr/lib/libwrap.so.0
It will need the following settings implemented, open the /etc/hosts.allow file and add entries for specific ip ranges and services that are needed for example add…
sshd: 123.45.67. : allow
Note: adding the dot after the third set if numbers automatically allows the entire 67 (from 67.0 to 67.254)
Now open the /etc/hosts.deny and add the following
All : All : deny
It is very important to set a string root password
I also disable direct root login (but make sure that you have access via another user first or you will never get back in)
Open the /etc/ssh/sshd_config file and change “PermitRootLogin yes” to “PermitRootLogin no”
Now restart sshd
See this link IPtables on Ubuntu