Securing your Ubuntu VPS for hosting a Rails ApplicationPosted: June 9, 2011
So you have got your new shiny VPS and are all set to deploy your Rails application. However, you need to guard you server against the bad guys. Rails framework does a lot of right things to secure your application. However, you need to manage the security of your server. With a few simple rules you can easily secure your server. I have written this guide for a Linode VPS running on Ubuntu 10.04. But the steps should be fairly similar for other distributions. The first and foremost is to setup a deploy user and give it sudo access. This is just to ensure that you do not accidentally run scripts under root.
# adduser deploy answer the relevant questions # visudo add deploy ALL=(ALL) ALL just below the root's line
SSH into the VPS as deploy and verify if you are able to log in and that you can successfully sudo. Now to change a few SSH details. You would not want to tunnel clear text passwords for your server login. This encourages people to share passwords and makes it difficult to perform access control. Instead, a better approach is to use the SSH public key authentication. To do this, add your public key from your machine to the deploy user’s ~/.ssh/authorized_keys file. Ensure that you are able to login with your public key before proceeding.
Also, it is better to disallow root from directly logging in via SSH. To do these you would have to edit the /etc/ssh/sshd_config file.
$ sudo vim /etc/ssh/sshd_config
Look for the lines containing PubKeyAuthentication, PermitRootLogin and PasswordAuthentication. Change the lines should read as below.
PermitRootLogin no PubKeyAuthentication yes PasswordAuthentication no
If you lock yourself out, don’t worry. Most VPS providers allow you to login as root from a web console. Restart the SSH service and verify if you are able to login without a password.
The next thing you need to do is the single most important thing. Setting up a firewall. It is easier to run the following commands as root so I am sudo into a root shell.
$ sudo su - root
Allow SSH, HTTP/S and PING incoming connections. Accept all incoming connections from 127.0.0.1.
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -p tcp --dport 443 -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT # iptables -A INPUT -s 127.0.0.1 -j ACCEPT
If there are services already connnected, do not drop them.
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Reject everything else.
# iptables -A INPUT -j REJECT # iptables -A FORWARD -j REJECT
The problem with IPTables is that it forgets your rules once you reboot. You need to save them and restore them during reboot when the network interface comes up. First, dump all the rules to a file using iptables-save.
# iptables-save > /etc/iptables.rules
Now you need to add it just before the network interface comes up. You can do that by editing the /etc/network/interfaces file.
# vim /etc/network/interfaces
Just after the definition of the eth0 interface add the a line for pre-up. This runs a command specified just before bringing up the interface. The last couple of lines of the file should now look something like this.
iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.rules
Now you can reboot the system and verify if the rules apply after reboot.
$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT icmp -- anywhere anywhere ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
Now, we’re all done.