[Checklist] Securing Your Ubuntu Server to Host a BTS Node

[sahkan]

The intend of this checklist/guide is to lay out basic steps in securing your Ubuntu server (fresh VPS or Dedicated server) and getting it ready for a BTS node (see, full or witness). Keep in mind that there is more than one way to get things done in Linux so just pick your favorite. I would also appreciate any comments/tweaks from other admins to improve this guide and increase security of our servers (especially any new findings that might come out after I post this).

- Install Ubuntu Server 16.04 (or have it installed and get root access)

-Log in to your server as the root user.

Code: [Select]

$ssh root@server_ip_addressor use PuTTy or other SSH client of your choice

- Check your server installation:

Code: [Select]

# lsb_release -a
-Check what was installed:

Code: [Select]

#apt list --installed
- Update:

Code: [Select]

#apt update
- Take a look at your sources list:

Code: [Select]

#cat /etc/apt/sources.list
Now head over to:
https://repogen.simplylinux.ch/
Fill in your information and have it generate the official Ubuntu Repos for you

Here is an example:

#------------------------------------------------------------------------------#
#                            OFFICIAL UBUNTU REPOS            #
#------------------------------------------------------------------------------#


###### Ubuntu Main Repos
deb http://01.archive.ubuntu.com/ubuntu/ xenial main universe
deb-src http://01.archive.ubuntu.com/ubuntu/ xenial main universe

###### Ubuntu Update Repos
deb http://01.archive.ubuntu.com/ubuntu/ xenial-security main universe
deb http://01.archive.ubuntu.com/ubuntu/ xenial-updates main universe
deb-src http://01.archive.ubuntu.com/ubuntu/ xenial-security main universe
deb-src http://01.archive.ubuntu.com/ubuntu/ xenial-updates main universe


Now if needed added the sources to your source list:

Code: [Select]

#nano /etc/apt/sources.list
(Note: To save in nano use CTRL-O, Enter and CTRL-X to exit - there are plenty of other editors there, I like nano)

-Now lets update and upgrade as required:

Code: [Select]

#apt-get update
#apt-get upgrade
- Change root password (You should change the password to something complex for the root)

Code: [Select]

#passwdThen enter your password at each prompt requesting it. Done.

-Now lets create a new Sudo user:
Use the adduser command to add a new user to your system.

Code: [Select]

#adduser username(for example: adduser sahkan)
Set and confirm the new user's password at the prompt. A strong password is highly recommended!

Set password prompts:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Follow the prompts to set the new user's information. It is fine to accept the defaults to leave all of this information blank.

User information prompts:
Changing the user information for username
Enter the new value, or press ENTER for the default
    Full Name []:
    Room Number []:
    Work Phone []:
    Home Phone []:
    Other []:
Is the information correct? [Y/n]

- Now lets add our new user to the sudo group:

Code: [Select]

#usermod -aG sudo username
By default, on Ubuntu, members of the sudo group have sudo privileges.

- Test sudo access on new user account - use the su command to switch to the new user account.

Code: [Select]

#su  username
As the new user, verify that you can use sudo by prepending "sudo" to the command that you want to run with superuser privileges. For example, you can list the contents of the /root directory, which is normally only accessible to the root user.

Code: [Select]

$sudo ls -la /rootThe first time you use sudo in a session, you will be prompted for the password of the user account. Enter the password to proceed.

[sudo] password for username:
If your user is in the proper group and you entered the password correctly, the command that you issued with sudo should run with root privileges.

If all went well, logout from the server and ssh back in as your new user

-Now you want to prevent root logins to SSH, which can leave your computer vulnerable to brute force login attempts to the root account.

Code: [Select]

$sudo nano /etc/ssh/sshd_config
Scroll down (with your keyboard down arrow key) until you see "PermitRootLogin yes", or hit "Page Down" once to get there.
Replace the "yes" with "no". No quotes.
PermitRootLogin no

Save & exit.

Now restart SSH with:

Code: [Select]

$sudo service ssh restart
- Change the SUDO configuration to require the root password

Code: [Select]

$sudo visudoThis will open the "/etc/sudoers" file.
In /etc/sudoers, add this line:
Defaults rootpw

Now follow this guide and pick what you require:
https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics

NOTE: #5. Protect su by limiting access only to admin group (from the link above) Will restrict your use of su. To reverse it (if you want to use su) execute the following:

Code: [Select]

$sudo dpkg-statoverride --remove /bin/su
$sudo chmod 4755 /bin/su
- Now to get ready for the node install, install boost (from your home directory in this case):

Code: [Select]

$export BOOST_ROOT=$HOME/opt/boost_1_57_0
$sudo apt-get update
$sudo apt-get install autotools-dev build-essential \
                     g++ libbz2-dev libicu-dev python-dev
$wget -c 'http://sourceforge.net/projects/boost/files/boost/1.57.0/boost_1_57_0.tar.bz2/download'\
     -O boost_1_57_0.tar.bz2
$sha256sum boost_1_57_0.tar.bz2
Check for the correct hash:
# "910c8c022a33ccec7f088bd65d4f14b466588dda94ba2124e78b8c57db264967"

-Install it:

Code: [Select]

$tar xjf boost_1_57_0.tar.bz2
$cd boost_1_57_0/
$./bootstrap.sh "--prefix=$BOOST_ROOT"
$./b2 install


- And now you can use my other guide to build your node:
https://bitsharestalk.org/index.php/topic,23925.0.html