Locking Down SSH

Now that the server is online, it’s time to lock it down so only those permitted can access it. I will be logging in through SSH (Secure Shell). On any Ubuntu box, the command to install the SSH server is as simple as running the following:

$> sudo tasksel install openssh-server

Which will install the openssh package.

Now, the default installation of the SSH server is fine, but let’s trim it up a little. With your favourite editor (and root permissions), open up /etc/ssh/sshd_config. Don’t forget to back up the original, just in case. The following code block contains the lines I changed or added.

LoginGraceTime 60
PermitRootLogin no
MaxAuthTries 2
AllowUsers <user names separated by spaces>
Banner /etc/ssh/ssh_banner


These are not the only things possible to change, and for more, I offer the sshd_config man page. The above shortens the grace time to enter one’s password from 120 seconds to 60, disables root login, reduces the number of times you may try to login to two, and permits only the users listed to SSH in. I have also introduced a banner message before one authenticates. The contents of /etc/ssh/ssh_banner are below:

This computer system is for authorized users only. All activity is logged and regularly checked by systems personnel. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any illegal services run by users or attempts to take down this server or its services will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms.


Now that all the SSH configurations have been made, restart the SSH service so it starts using them:

$> sudo /etc/init.d/ssh restart


One more useful tip for Ubuntu users involves editing /etc/motd.tail and /var/run/motd to add a nice welcome message to the authenticated users.

My current MOTD upon successful login. Look, there's colour!

Next, to avoid unwanted brute force attacks on your (hopefully very strong) passwords involves setting up and tearing down iptables rules. The rule shown here will block an IP if three incorrect attempts to login are received within 60 seconds, which should stop brute force attacks, but not hamper any normal, human logins. Enter the following into the new file /etc/network/if-up.d/bfa_protection:

#!/bin/bash
[ "${METHOD}" != loopback ] || exit 0
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

Then make it executable:

$> sudo chmod u+x /etc/network/if-up.d/bfa_protection


Next, we need the code to tear the rules down when the network interface goes down. Enter the following into /etc/network/if-down.d/bfa_protection:

#!/bin/bash
[ "${METHOD}" != loopback ] || exit 0
/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP


Then make it executable:

$> sudo chmod u+x /etc/network/if-down.d/bfa_protection


That’s it. To get it running without a restart of the network interface, do the following:

$> sudo /etc/network/if-up.d/bfa_protection
$> sudo iptables -L


The last line will show all rules, and should be displaying the the brute force protection rule.

SSH is a useful tool, and can be combined with many other programs to provide very interesting functionality (such as VNC connections through an SSH tunnel). The key thing to remember is to use it intelligently, and that strong passwords are important. If you are even more concerned about security, the use of private keys might be more suitable.

Server CPU Configuration

Hello everyone. This post is far later than intended due to some installation woes with my Antec LCD screen. The instructions given by Antec’s official faq‘s referenced page are, to be frank, broken, require some magical packages, or are incompatible with 64-bit Linux. There is, however, a really great thread on ubuntuforums.com that provide instructions for (32-bit) Mythbuntu. These are, naturally, incompatible with the 64-bit Ubuntu Server.

There will be a dedicated post in the future describing the installation of the iMON USB IR and LCD components of the Antec Fusion Black 430, with successful steps for a vanilla Ubuntu Server, but that post is not this.

The server itself is very solid, with the installation near the end essentially running tasksel, the Ubuntu tool which allows for specific functionality to be added with a simple checkbox, such as LAMP, SSH Server, Samba, Print Server and other functionalities. These features are fairly easy to install, and are covered in many other guides. I will discuss each in later detail, in later posts, particularly how to secure SSH from brute force attacks (using iptables).

The first thing I noticed when I began using the installation was that the CPU fan was kicking it at 100% consistently. After investigation, I found that the CPU was not scaling its frequency. This was quickly solved by installing the wonderful powernowd:

$> sudo apt-get install powernowd

With that installed, the system began to scale, as far down as 1000MHz (with a maximum of 2400MHz). The current frequencies can be checked by running:

$> cpufreq-info

or

$> cat /proc/cpuinfo

and reading the results. Please note that the former command requires the cpufrequtils package, which is shown later in this post.

Another option is to enable the built-in frequency scaling of the AMD chip. First, enable Cool ‘n’ Quiet in your motherboard’s BIOS, then remove all scaling software (such as powernowd) with apt-get remove <package name>. The above cat command will also display the vendor and type of the CPU. If you’ve got an AMD Athlon 64 X2 like me, then you’ll need to do the following (otherwise, please see the source of these instructions):

$> sudo modprobe powernow-k8
$> sudo modprobe cpufreq_conservative
$> sudo modprobe cpufreq_ondemand
$> sudo modprobe cpufreq_powersave
$> sudo modprobe cpufreq_stats
$> sudo modprobe cpufreq_userspace
$> cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors


The last step should show various modes of power savings, such as powersave, conservative, or performance.
Next, add the following lines to /etc/modules for the powersavings to be intiated at boot time:

modprobe powernow-k8
cpufreq_conservative
cpufreq_ondemand
cpufreq_powersave
cpufreq_stats
cpufreq_userspace

To use the cpufreq-info command, you’ll need to install the following:

$> sudo apt-get install cpufrequtils

You’ll need to set what’s called a governor to specify how to scale the processor(s). If you’re not sure how many CPUs you have, run the following:

$> ls /sys/devices/system/cpu/

and run the following for each CPU:

$> sudo cpufreq-set -c <number> -g ondemand

Where <number> starts at zero and counts up.
Lastly, to set this governor at boot, edit /etc/default/cpufrequtils, changing

ENABLE="false"

to

ENABLE="true"

and setting the GOVERNOR value to ondemand.
Hurray! CPU frequency scaling is now yours! If that was too many steps for you, powernowd always works.

Hardware Time!

Antec Fusion Black 430. Click to enlarge.

This post marks the first actual work with hardware. The chassis, as seen above, is the Antec Fusion Black 430, and I am extremely pleased with the build quality. The case, as the name suggests, comes with an Antec EarthWatts 430W power supply, with a special power attachment for the LCD screen. Speaking of the LCD screen, it and the (rather stereo tuner looking) volume knob are controlled by USB, and have some support with Linux, which I will detail in a later post. The front of the case is brushed metal, while the rest is standard painted steel. The server is fairly heavy, but to reduce vibrational noise, the case has silicone feet in the rear, and rubberized bottoms on the front feet.

This blog isn’t about how to assemble a server, so I’ll spare you the details of the such, and simply list the components I have decided to use:

• Antec Fusion Black 430 with 430W PSU
• ASUS M3N78-VM motherboard with GeForce 8200 chipset, with VGA/DVI/HDMI output
• AMD Athlon X2 Dual-Core 4600+ 2.4GHz CPU
• OCZ Platinum XTC REV.2 PC2-6400 2X1GB DDR2-800 RAM
• Samsung 750GB SATAII Hard drive
• LG GH20LS10 DVD SATA writer DVD+RW 20X8X16

The case includes two 120mm fans, and splits into three sections: one for the PSU and optical drive, one for the motherboard, and one for the hard drive. Click to enlarge.

The 750GB hard drive suits my needs at the moment, and the case has one more spot for another hard drive, if I decide to upgrade in the future. The hard drives sit behind the volume knob, and its held vertically, fastened with screws and rather fancy rubber grommets for noise reduction. The optical drive, while not the best, or the fastest, will mostly be used for playback. Looks didn’t particularly matter, as the case has a built-in cover.

The motherboard really shines in this case. Without the need for a graphics card, there is significantly more room in the case to route cables, and I don’t need to worry about the height of the case, which is a little shorter than most desktop chassis. Asus has done a great job with this motherboard, which sports 12 USB ports, six in the back, and six others available as headers on the board. With the front USB, and LCD screen taking up one and a half of those headers, I’ve still got room for more gadgets. Unfortunately, there is no room in the chassis for any 3.5″ or 5.25″ devices. The dual 120mm tri-cool fans are a nice touch, but I find I would prefer being able to plug them into fan headers on the motherboard.

OCZ is one of my favourite computer component companies (equal to Antec and ASUS), so using their RAM was an easy choice. On the plus side, there was a $30 rebate!

Next posts will explore my Ubuntu server setup, and probably touch on some nice applications.