Grundlegende Serveradministration/en

Aus EUserv Wiki

Wechseln zu: Navigation, Suche

Basic server administration

Inhaltsverzeichnis

Basic server administration

The content of the following HowTo has been examined carefully. However, we do not assume 
liability for any damage that occurs from following the instructions of this HowTo

In this HowTo we will give you some information on how to manage and secure your dedicated server or virtual server. Manage a server quite differs from the everyday use of a "normal" PC with a graphical user interface (such as Windows). In fact graphical interfaces for servers do exist (e.g. Plesk/Confixx or SysCP), but these are conceived for managing domains and mail aliases mainly. For important tasks like program installations and data backup we need to operate in a command prompt (also known as "shell"). In the following we will show you the necessary steps after you ordered and deployed your server.

Choosing the operating system

Log in into the customer center and select the operating system you want install on the server. Select your server contract und click the "Initialize" button. Choose an operating system, e.g. "Debian 5.0r5 SysCP 64 Bit". This installs a Debian-Linux with a graphical admin interface (SysCP). When the operating system has been installed sucessfully, you can see your access data under the menu "Server Data". Important for the server administration right now are the "Main IP address" and the "Default Password" for SSH or webpanel (admin/root).Following you willget to know how to access your server via SSH. SSH stands for "Secure Shell" and is a network protocol which can be used to establish secured connections with remote computers.

Accessing the server - SSH

In order to access your server via SSH you need a corresponding program. For Windows user "PuttY" is advisable and can be downloaded under www.putty.org. The configuration of PuttY is done in a few steps:

Run PuttY. Under Host Name or IP address just enter the IP address (a numerical sequence that identifies your server) from the customer center (see above). If not already preset enter a 22 under Port. Click Open to establish the connection. During the very first connection buildup a window will pop up, asking you whether you are trusting the digital key of the remote computer. Confirm with Yes. Hint: In case you are using Linux instead of Windows open up a terminal and enter the following:

ssh root@<your IP address here>

Now you should see a console window whose only content is "login as:". Enter root here. You will now be asked for your password. Just enter the Default Passwort from the server data here. If you wonder why the password can't be seen when you type it - this is due to security reasons. If all data have been entered correctly you should be logged in to your server by now. You can see this by the command line beginning with root@<your IP address> and a certain message (e.g. „Welcome to Debian GNU/Linux“ or the like).

For your own safety you should create a new user now. This is highly recommended since it's to dangerous to manage the server as root permanently. The simple reason for this lies in the rights management system of Linux where users have different file rights (read/write/execute) file. The root user has full access on the system and is able to conduct critical system actions, so it could be possible that you delete important system files or configurations. To avert this we will now do the following: First, we shall create a new user and then we will ban the possibility of a root login.

1.) Enter the following code to create a new user:

useradd -g users -d /home/USER -s /bin/bash USER

(instead of USER enter a name of your choice)

Set the new user's password by entering the following:

passwd USER

(instead of USER enter the name of the newly created user)

You will now be prompted to enter a password and to confirm it a second time. You can now login as the new user instead of root the next time.

2.) Enter the following to prevent a root login:

nano /etc/ssh/sshd_config

Use the arrow keys to look for the line containing the entry PermitRootLogin = yes and change the yes to no. Save the change with Ctrl+O and close the editor with Ctrl+X. Finally restarting the SSH server is necessary. Enter the following and confirm with Return

/etc/init.d/sshd restart

Now you won't be able to log in as root anymore. Validate this by open up an additional PuttY window (please don't close the existing one) and try to log in as root with your server password. If this fails, the configuration was successfull. Repeat this procedure by using the data of your newly created user. If this works, the configuration works, too. In solme case certain operations require root permissions. You can switch to the root user by entering

su root

within your SSH session. Switching back to your "normal" user can be done by typing

exit

To completely end the SSH session you can type

logout

SSH Safety

Changing the default port

To secure your server against unauthorized access you can change the standard port of SSH (22) to another value and you can allow access from your private IP address only. Changing the default port can be achieved by doing the following: Log in with SSH as described above (using PuttY or the terminal) and enter the following:

nano /etc/ssh/sshd_config

Look for the following line using the arrow keys:

Port 22

At this point you can change the port. Keep in mind, not to use a system port (0-1023) since they are mostly used by system processes. Consider using an upper range user port (above 40000) or dynamic ports (49152-65535). When you have changed the port make sure the line

Protocol 2

does exist. Save with Ctrl+O and close the editor with Ctrl+X. Finally restart the SSH server:

/etc/init.d/sshd restart

After logging off from the SSH session you can log in the next time with the following command (Linux):

ssh -p <PORT_NUMBER> <USER>@<SERVER_IP>

If you are using PuttY adjust the changed port in the connection settings (as described above).

Please note, that changing the SSH port does not provide an absolutely reliable protection, since the new port can be found with so called "port sniffers". Furthermore you should memorize the port and the password!

Blocking Brute Force Attacks

iptables

A special way to break passwords is a brute force attack. Hackers use this by massive testing of possible password combinations. To weaken such attacks you can use the Linux firewall iptables:

iptables -N ssh_block
iptables -A INPUT -p tcp --dport 22 -s <YOUR_PRIVATE_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ssh_block
iptables -A ssh_block -m recent --set --name SSH
iptables -A ssh_block -m recent --update --seconds <SECONDS> --hitcount <AMOUNT> --name SSH -j DROP
/etc/init.d/iptables save
/etc/init.d/iptables restart 

Executing these commands ensures that you can only log in to your server from the IP address stated under <YOUR_PRIVATE_IP>. Also, only <AMOUNT> connections within the period of <SECONDS> are allowed.

DenyHosts

DenyHosts is a tool written in Python, which monitors log in tryings via SSH on your server. If this program detects repeated failed log in tryings of the same IP address, DenyHosts blocks more log in tryings of this IP address and adds these in the file /etc/hosts.deny. DenyHosts can run as cronjob or as deamon. In this manual DenyHosts runs as deamon.

DenyHosts will be installed with the following command:

Ubuntu/Debian:

 apt-get install denyhosts

CentOS 6:

 sudo rpm -Uvh http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-8.noarch.rpm
 sudo yum install denyhosts

After the program has been downloaded, DeynHosts will be installed and configured on your server. Be sure, that your own IP address is allowed by DenyHosts. If you skip this step, you get the risk, that you will block your own server.

Create a list of the allowed hosts on your server by editing the following file:

 nano /etc/hosts.allow

Under the description add any IP address, which is allowed by DenyHosts. You can add any IP address in a separate line with the following format:

 sshd: xx.xx.xx.xx

After you have made the changes, be sure, that you restart DenyHosts:

 /etc/init.d/denyhosts restart

If you want to change the behavior of DenyHosts on your server, you can make these changes in the configuration file with the following command:

 nano /etc/denyhosts.conf

In the default configuration the file /etc/deny.hosts grows continously. However, in the configuration file /etc/denyhosts.conf you can set, that IP addresses in the list of /etc/deny.hosts will be deleted after a defined period of time. To this the option can be set PURGE_DENY = 1d. Thus the period of time will be set to one day. The option DAEMON_PURGE = 1d sets an automatic delete process once daily.

Updating the package sources

For your system to stay up-to-date you should update the package sources of your operating system. This can be achieved (depending on the Linux distribution) with the follwing commands:

Ubuntu/Debian/Proxmox:

aptitude update          [Package source update]
aptitude upgrade         [Global system upgrade]
aptitude install <paket> [Installing the desired package]

CentOS, FedoraCore

yum update          [Package source update]
yum install <paket> [Installing the desired package]

OpenSuSE

zypper up            [Updates the installed packages]
zypper up -t package [Installs all available updates] 

Securing data with rsync and scp

Since you are responsible for the backup of your data you should periodically conduct backups. In this case we will assume that you want to backup files from your server to your home PC. The command rsync synchronizes the content of a remote directory witht the content of a local directory. Let's say, the directory /home/backup on your server shall be backed up. The following command saves the directory, deletes all files in /home/USER/backup that have been removed from /home/backup since the last backup and stores deleted and changed files in an additional backup directory /home/USER/last_backup:

rsync --delete -avzbe ssh USER@ServerIP:/home/backup \
/home/USER/backup --backup-dir=~/last_backup

If you want to copy single files or directories you can use the command scp ("Secure Copy"). The command is quite simple to use. Start PuttY (or under Linux the terminal) and enter the following:

scp <User>@<ServerIP>:/path/to/file /destination_path/local/computer

or if you want to copy a directory:

scp -r <User>@<ServerIP>:/path/to/file /destination_path/local/computer

For <User> and <ServerIP> you enter the according data.

Finally, please keep in mind:

(Basic) server administration requires knowledge of Linux systems (when installed). The EUserv forum and Google are promising places to go to get further information. As a customer you are solely responsible for the administration of your server. So never make any changes in your system if you are not a 100% sure what you are doing. Always remember to make backups on a regular basis!

External links

Fail2ban: http://blog.check-and-secure.com/fail2ban-effektiver-schutz-gegen-cyber-attacken-auf-server/