5Minutes - Server Security Essentials
Secure your Linux server with single command!
A while back, I read this article about what you should do first when you get new server. Doing so manually is quite boring though, and error prone. So, I tried to automate with Ansible, and added few extra security features like completely disabling root and password login etc.
So you have new servers with root access, please follow these steps.
- Install Ansible on your local computer. It’s really easy if you have updated
sudo pip install ansible
- Clone this repo and change
hostsfile with IP address of your servers.
git clone [email protected]:chhantyal/5minutes.git && cd 5minutes && open -t hosts
- Change var
vars.ymlfile with crypted password. This will be password for
server_user_name. To generate, run:
sudo pip install passlib
python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
Using it is very easy. From within in
5minutes directory, run this Ansible command.
ansible-playbook 5minutes.yml -u <user_name> -K
Enter password for your server and that’t it. Single command!
Try with Vagrant
You can try on Vagrant box before running this on real servers.
vagrant up output for exact port) and run command:
ansible-playbook 5minutes.yml -u vagrant --private-key .vagrant/machines/default/virtualbox/private_key
Under the Hood
If you are wondering what it does, here it is:
- Connects to server using SSH
- Updates APT cache
- Performs APT upgrade
- Adds user specified in variable
server_user_namewhich has sudo permission
- Adds specified public key in variable
user_public_keysin ssh authorized_keys.
- Disables root SSH access. Yes, from next time you need to use new user to access server.
- Disables password authentication. Again you will need to use new user with SSH public key auth method.
fail2banto ban IPs that show malicious signs,
logwatchto analyze and report logs.
- It also installs
unattended-upgradesto enable automatic security updates.
There are few other variables that you need/might want to change. See
vars: defined in
server_user_password: Please change this. See Ansible docs
[email protected], you won’t get report email from
logwatchif you don’t change.
~/.ssh/id_rsa.pub, if you use different key pair name, you need to change this path to public key file.
Ansible is perfect for this automation because it’s dead simple to install and use without having to learn it.
It uses SSH as agent, so you don’t need to setup anything else.
PS: This is tested on Ubuntu, as that’s what I use. You are welcome to add support for other distributions :)