Hackers are bad people. They are consistently scanning our servers for vulnerabilities. We need to have a solid security setup in order to stay safe from these evil people. This post will show you few things you can do to secure your Virtualmin & Ubuntu 16.04.
Importance of Proper Security
There are many tutorials out there showing you how to configure a VPS to host websites. The problem with these tutorials are that they barely even cover 10% of the process. Sure you can get your website up and running within few hours, or even within few minutes if you’re familiar with Linux CLI. But configuring an Unmanaged VPS involve much more work than what is being covered on these tutorials. Most important thing they overlook is security. To get an idea of how serious of an issue this is, take a look at the screenshot on the right. The image shows failed login attempts during period of 2 weeks on one of my Managed VPS servers. This is a brute-force attack which never stops. Done by hackers using bots, they never stop trying to guess your root password. If left unanswered, it’s about time someone break in to your VPS. That’s why it’s important have proper security to counter these threats.
Some of the steps to secure Virtualmin & Ubuntu 16.04 described in this post can be performed right after booting your VPS for the first time. But since I want to cover all steps involved in this post, You should complete following steps before continuing.
Get your VPS Secured
Get your VPS disinfected and secured against attacks by an experienced Linux Server administrator for a small one time fee. Our service include,
Monthly VPS Management
Get a professional Linux Server Administrator maintain your VPS on daily basis for a small monthly fee. Our service include,
Configure Fail2Ban to Secure Virtualmin & Ubuntu 16.04
Fail2Ban is an intrusion prevention software. The Virtualmin installation script installs it on your VPS. All we have to do now is configure it. So let’s open Fail2ban configuration file,
We’ll first protect SSH (Port 22) since it’s the prime target for hackers. There is already a jail that defines rules for SSH. Let’s find it within the file. Hit Ctrl+W on your keyboard and search for [sshd]. SSH jail will look like this,
[sshd] port = ssh logpath = %(sshd_log)s
Now change it to look like this,
[sshd] enabled = true port = ssh logpath = %(sshd_log)s maxretry = 3 findtime = 10800 bantime = 86400 action = ufw
As you can see, I didn’t change anything that was already there. I just added a few lines. The first line enables Fail2ban for SSH. Other lines instruct Fail2ban to look for 3 failed login attempts during last 3 hours and if someone exceed this then ban them for 24 hours using UFW. You can obviously play with these settings.
Next. we’ll secure Webmin. Search for [webmin-auth] within the file. And then change it to look like this,
[webmin-auth] enabled = true port = 10000 logpath = %(syslog_authpriv)s maxretry = 3 findtime = 10800 bantime = 86400 action = ufw
You can do the same for all other jails that are in use. Following command will list available jails for you to modify.
And when you’re finished configuring jails, activate them by restarting Fails2Ban.
service fail2ban restart
Fail2Ban will protect your VPS from brute-force attacks from hereon. But you should enable UFW for that.
Enable UFW to Secure Virtualmin & Ubuntu 16.04
UFW is a program with simple set of commands. It’s really easy to get started with UFW comparing to iptables. UFW is available by default in Ubuntu 16.04. But it’s not enabled. We’ll enable it shortly. We must add firewall rules first, or at least allow connections on SSH port before enabling it. Or else, we’ll be locked out of our VPS.
Let’s allow few programs that we’re going to use. Following commands will open port 22, 80, 443 and port 10000 in firewall.
ufw allow ssh ufw allow 'Nginx Full' ufw allow webmin
Opening these ports are mandatory for operation of your VPS. And when you enable UFW with these ports opened, all other ports will be closed. So if you’re using other services, you need to allow relevant ports as well. I’ve posted a list of ports that you might need to be opened.
Let’s look at an example where you want to host your DNS on the same VPS. In this case, you need to allow port 53 in firewall. You can use following command to allow it.
ufw allow 53
And when you’re done adding all the ports you’re going to be using, you can enable UFW with following command.
And you can confirm if UFW is active with following command.
ufw status verbose
If you got this far with this tutorial, you have a solid protection against basic attacks. But it’s not all you can do to protect your VPS. There are things like changing default ports and disabling password. But they make things a bit complicated for newbies. And this gives enough protection unless you’re high profile target for hackers.
Further Security for your VPS and Websites
What you did so far doesn’t necessarily give all the protection your VPS needs. We had to keep few ports open that are still vulnerable to attacks. Well, we can protect most ports we opened with Fail2Ban except for port 80 and port 443. These ports are used by Nginx and are public. Connecting to these ports and accessing public content on your website should not require a password. And when there’s no login required, Fail2ban can’t protect you.
Answer to this problem is a WAF. A WAF works on top of your webserver and protects it against attacks like SQL injection and cross-site scripting. The WAF I recommend for my setup is Naxsi. Go ahead and install Naxsi WAF for Nginx and Virtualmin to further protect your server.
That concludes the instructions to secure Virtualmin & Ubuntu 16.04 VPS. Create a topic on sysadmin forum if you have issues with the installation.