G B

Setting Up Linode For The Impatient

 November 13, 2014   by  Gouthaman Balaraman

 Share on: Diaspora* / Twitter / Facebook / Google+ / Email / Bloglovin

Some notes based on my experience setting up the linode server



When you get a linode instance, you really get a barren (sort of) linux machine on the cloud. That means you have to take care of customizing the server based on your needs. Here are some notes based on what I wanted to setup.

My requirements were the following:

  • Python Setup: Setup python to perform installations using pip.
  • Secure Server: Enable firewall etc.

Linode Basics

  • Once I setup the linode account, I used the ssh instructions on the "Remote Access" in the linode dashboard to get the IP as:

    ssh root@<ip-address>

  • Setup hostname:

    echo "ServerName" > /etc/hostname
hostname -F /etc/hostname

    Try hostname on the command line to see the hostname printed correctly.

  • Add to /etc/hosts. In your desktop, associate the linode IP with a custom servername of your liking. Edit /etc/hosts to look like:

    127.0.0.1   localhost
127.0.1.1   G-ubuntu
111.11.11.1 ServerName

    Also on you linode add an entry to associate 127.0.0.1 with the server hostname. If not you will a error message that the <ServerName is not recognized when you sudo. Add the following to /etc/hostname in your linode:

    127.0.0.1  ServerName

Securing Linode

  • Setting up firewall: When I type sudo iptables -L I get:

    Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

    Now create a file to store the firewall rules using sudo nano /etc/iptables.firewall.rules and paste the following:

    *filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

    Now the firewall rules can be activated using:

    sudo iptables-restore < /etc/iptables.firewall.rules

    Now when you type sudo iptables -L:

    Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

    Now to ensure that the firewall is going to be up and running every time you reboot your Linode, edit /etc/network/if-pre-up.d/firewall as sudo to add:

    #!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

    Once you have saved these edits, make this file executable using:

    sudo chmod +x /etc/network/if-pre-up.d/firewall

    This should secure your server. If you want to make sure your firewall is up and running, reboot the server and check what you get when you type sudo iptables -L.

  • Installing and Configuring Fail2Ban: Fail2Ban is an application that prevents dictionary attacks on your server. When Fail2Ban detects multiple failed login attempts from the same IP address, it creates temporary firewall rules that block traffic from the attacker’s IP address. Attempted logins can be monitored on a variety of protocols, including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only.

    Here’s how to install and configure Fail2Ban:

    • Install Fail2Ban by entering the following command:

      sudo apt-get install fail2ban

    • Optionally, you can override the default Fail2Ban configuration by creating a new jail.local file. Enter the following command to create the file:

      sudo nano /etc/fail2ban/jail.local

    • To learn more about Fail2Ban configuration options, see this article on the Fail2Ban website. Fail2Ban is now installed and running on your Linode. It will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in /var/log/fail2ban.log.

Python Setup



   programming   linux  
Related Post

I am Goutham Balaraman, and I explore topics in quantitative finance, programming, and data science. You can follow me @gsbalaraman.
Checkout my book

Updated posts from this blog and transcripts of Luigi's screencasts on YouTube is compiled into QuantLib Python Cookbook .