Even though I will instruct you how to seetup all this, I still advise to pay attention to system logs. You need to know what is happening to your server. What one man wrote, the other can hack. From time to time you hear about password leaks or break-ins to major players like Dropbox or iCloud, a home server will never be more secure than companies using first rate security solutions. Security measures I will talk about in a moment should be enough for your home server. <\/p>\n\n\n\n
UFW \u2013 security 101<\/h2>\n\n\n\n
UFW stands for Uncomplicated Firewall. This is the first security measure that you need to take. Its purpose is to block access to ports that you do not need to have open. <\/p>\n\n\n\n
Every connection uses one port from the pool of 65535 ports. And UFW is going to block those in case you run a service listening for a connection on one of those ports and you do not want it to be accessible from outside. On the other hand, you need to have certain ports open in order for your services to be accessible from the outside.<\/p>\n\n\n\n
For example, you will not be able to access a website on your server without opening port 80 for http:\/\/ There is a list of standard ports for services<\/a> \u2013 22 for SSH connection, 80 for websites, 993 for email etc., and in theory we could change some of those in order to secure access to our server, but in practice ports can be mapped<\/a> and the attacker can discover which ports are open on our server and that, in turn, nullifies the whole point of changing ports. So let us just block everything that does not need to be open and leave defaults as they are. <\/p>\n\n\n\n I encourage you to read more about the topic of ports and why some require an encrypted connection and some are freely open but for now just follow me.<\/p>\n\n\n\n In order to install UFW run the following command<\/p>\n\n\n\n UFW is not enabled after installation and we need to manually do so, but before we do that we need to open at least port 22 for SSH connection, and while at it, we might as well enable all ports that we are going to use.<\/p>\n\n\n\n First of all we need to set up a few exceptions to open some of ports to our server. Run the following commands<\/p>\n\n\n\n Check out why we opened those specific ports on Wikipedia<\/a><\/p>\n\n\n\n You will get a prompt after adding any rule, should a rule be already in place you will get skipping rule<\/em> prompt. Rules will be applied to both IPv4 and IPv6.<\/p>\n\n\n\n On top of that we need to have a few ports for FTP passive access. You can open only one, but should you install a package listening on that specific port, your FTP access will be blocked. It is just common sense to open a small range. UFW allows for specifying a range instead of just one port in a rule and we need to decide what ports we are going to use for our FTP access. Ports go from 0 to 65535. Pick ten, any ten ports. Now run the following command<\/p>\n\n\n\n Substitute $PASSIVE_MIN<\/em> and $PASSIVE_MAX<\/em> with the range you have chosen for FTP. It does not have to be ten ports, it can be two, five or thirty. Just do not make it one, and ten is a such a nice round number. If you have chosen range from 667 to 700 the command would look as follows<\/p>\n\n\n\n When adding a range you have to specify if this should open TCP or UDP ports. We want TCP.<\/p>\n\n\n\n Now that we have everything in place, we can finally enable UFW by running the following command<\/p>\n\n\n\n Idiot-proofing measure asks you if you are sure that you want to enable UFW as you may lose access, but since we opened port 22 we are ok with starting the UFW service. Answer yes<\/em><\/p>\n\n\n\n If you want to check what rules are in place run the following command<\/p>\n\n\n\n Parameter numbered <\/em>shows us an additional column with numbers next to rules that makes removing them easy. We can do that by running the following command <\/p>\n\n\n\n Substitute x<\/em> with the number of a rule you want to remove. Bear in mind that the list shifts after deleting one of them. Meaning that if you want to delete three consecutive rules then you have to delete the same rule three times, as for example rule 7 becomes rule 6 after you delete the initial rule 6. Just allow a few random ports, print out the rule list, delete one of them and print out the rule list again. You will see for yourself.<\/p>\n\n\n\n You might not realize, but with Raspbian you get a firewall security with the system by default in the form of IPTABLES. Using it without UFW is a different story. UFW is actually a front-end for IPTABLES. Think of it as hiring a crew to build your house instead of having to set up a tent every time you want to get some sleep. That is it for UFW installation and configuration. Once enabled is will boot up with the system.<\/p>\n\n\n\n In case you made a big mess of rules you can simply revert to defaults by running the following command<\/p>\n\n\n\n Before you do that it is advised to deactivate UFW as your SSH connection might get dropped. Run the following to disable UFW<\/p>\n\n\n\n After you reset all rules simly add those that you actually need and enable UFW again.<\/p>\n\n\n\n If you have only IPv4 address you can skip adding IPv6 rules by modifying UFW config located here<\/p>\n\n\n\n and changing the following rule to no<\/em><\/p>\n\n\n\n This security package monitors your logs for an unauthorized access, validates the threat level and when the level reaches certain threshold it jails the attacker for a period of time. In layman terms \u2013 put incorrect login credentials too many times and you are banned for a period of time, any further login tries within the jail period will only extend it exponentially. Simple and effective.<\/p>\n\n\n\n CAUTION <\/strong>you are not exempt. If you forget the user name or your password and you will try logging in with incorrect credentials you will get banned as well. Mind the login!<\/p>\n\n\n\n Keeping the above in mind let us install SSHGuard with the following command<\/p>\n\n\n\n Contrary to UFW, security is enabled right after installation and daemon is loaded after every reboot out of the box. Default setting jails an IP for 3 minutes after 3 consecutive incorrect logins within a short period of time. More information about SSHGuard can be found here<\/a>. <\/p>\n\n\n\n SSHGuard, just like UFW, uses IPTABLES firewall and is just a front-end for the service. We could get by without both UFW and SSHGuard but that is a difference between running a few simple commands and writing a complicated scripts that need to be ran after every reboot. The hassle is just not worth it and you should just use those two wonderful tools.<\/p>\n\n\n\n In case you are facing problems with SSHGuard you can try the fail2ban<\/em> alternative. This is a more popular solution, but I found that it conflicted with my mail setup, so I am using SSHGuard. The functionality is the same. If you run into any trouble with one then try using the other.<\/p>\n\n\n\n If you do not want to lock yourself out of your server, you might want to whitelist your local IP address of the client you will use to tinker with the server.<\/p>\n\n\n\n Run the following<\/p>\n\n\n\n And at the bottom of the file add your local IP address. One IP per line<\/p>\n\n\n\n It is very unlikely that you will catch a virus on your server but it may happen. Better safe than sorry. A good and a free choice is ClamAV which we will configure to run daily at a certain time. It will scan your system and get rid of infected files should it find any.<\/p>\n\n\n\n CAUTION<\/strong> from my experience with Pi Zero, is just too weak to handle ClamAV and it simply gives up at some point during the scan. If you think you know what is going on or managed to do it with Pi Zero then leave a comment.<\/p>\n\n\n\n Install ClamAV with the following command<\/p>\n\n\n\n Out of the box ClamAV updates its database automatically and you do not have to worry about it. Scanning on the other hand has to be taken care of manually. Real-time protection is in form of warnings. You will not be stopped from accessing an infected file. You can read more about ClamAV and its configuration here<\/a>.<\/p>\n\n\n\n CAUTION <\/strong>clamav will perform an update and a scan after installation. This will consume resources for quite a while, depending on the number of files you have on SD and on the Pi you are running. Use the command htop <\/em>to confirm this, you should see a screen similar to below image<\/p>\n\n\n\n It took about 20 minutes on a freshly installed Raspbian on a Pi Zero W with SanDisk Ultra UHS-I SD card. The time needed for scan will vary depending on the Pi you are running, the speed of your SD card and the number of files on it.<\/p>\n\n\n\n Give it time to complete before proceeding further.<\/p>\n\n\n\n In order to set up a daily scan we need to make a bash script. Since we will have the script running by itself via Cron, an automatic task schedule package, it is a good idea to set it up somewhere else than our home directory so it does not get in the way. And while we are at it we can set up a directory for custom log files as well.<\/p>\n\n\n\n Choose a place for scripts and logs now. Is is a good idea to put our ClamAV logs in a subfolder as well. A good choice is the \/var\/<\/em> folder, as its name suggests, it is for various files. Again, this can be any place you want, but make it easily accessible so you do not have to dig through folders to find them.<\/p>\n\n\n\n In order to create those three custom folders run the following commands<\/p>\n\n\n\n Adding a zzz_<\/em> prefix will send them to the bottom of the folder list and make them easier to find. If you want, you can call them fluffybunny1<\/em> and iloverainbow <\/em>if you wish.<\/p>\n\n\n\n Now lets change the owners of said folders, run the following code to make those folders assigned to your administrative user, that you have chosen in the installation part<\/a> of the tutorial<\/p>\n\n\n\n Folders should have the correct permissions assigned to them, but in case they do not, we need to set them up with the following code<\/p>\n\n\n\n This will allow the $USER<\/em> to read, write and execute anything inside those folders while $USER<\/em>‘s group and other accounts will be able to read an execute files inside without the write ability. You can read about file permissions here<\/a>. Do get yourself acquainted with managing rights as this is a very important part of working with Linux. In the infancy of your dealings with system administration you will often run into hurdles if you do not know how to manage permissions.<\/p>\n\n\n\n Now we need to make the script itself. The below script is almost a direct copy of Habilis’ script here<\/a>. It is a nice and useful peace of code and I am not the one to reinvent the wheel.<\/p>\n\n\n\n In order to create a file and edit it run the following command<\/p>\n\n\n\n Inside of it paste the following code<\/p>\n\n\n\n Make sure the script is executable with the following command<\/p>\n\n\n\n Read more about scripting in bash<\/a> if you want to fully understand the script. With time you will have to anyways, might as well start now. <\/p>\n\n\n\n CAUTION<\/strong> if you are running a NAS, or you have large folders with files like video etc. then you need to include path to such folders by adding additional arguments<\/p>\n\n\n\n Just put it after the first one in the script. Otherwise your antivirus scan will scan those folders as well and will unnecessarily throttle your system!<\/p>\n\n\n\n You can do that at any point in time, just remember about it after adding a 1TB NAS with video files. <\/p>\n<\/div><\/div>\n\n\n\n The script works out of the box, but if you are curious what those lines do here is the breakdown<\/p>\n\n\n\n Make sure the script executable with the ls -l <\/em>command. If not, see above part about chmod <\/em>and chown<\/em><\/p>\n\n\n\n Since we want to automate the scan we need to use cron, a tool for scheduling tasks. It is built into the system so we do not have to install it, we just need to set it up<\/p>\n\n\n\n Run the follownig code <\/p>\n\n\n\n At the bottom of the file add the following line<\/p>\n\n\n\n This makes the script, and by extension the scan, run at 5am every day. You can set up a different time of day or make it run every 7 hours for example, but once a day should be enough for our peace of mind. Take a look at the crontab file where you added the task, it tells you how to schedule tasks for different hours and\/or time intervals.<\/p>\n\n\n\n CAUTION <\/strong>do not set up many tasks for the same time as it will slow down your server to a crawl. Your Pi might start to overheat and when it reaches 85 degrees Celsius it will throttle the CPU to cool itself and in turn all operations will slow down. Set up tasks for different full hours and you will be ok.<\/p>\n\n\n\nUFW installation<\/h4>\n\n\n\n
sudo apt install ufw<\/code><\/pre>\n\n\n\nBefore you proceed!<\/h4>\n\n\n\n
CAUTION <\/strong>do not enable the firewall before opening port 22. If you block port 22, you will not be able to connect to your server and you will have to boot your pi with external monitor to open said por<\/p>\n\n\n\n
CAUTION! <\/strong>delete the default user pi<\/em> before opening your server to the internet. Logging in with valid credentials is not <\/strong>an attack, it is system administration malpractice. Leaving the pi<\/em> user with sudo privileges allows anyone to remotely log in and do as he pleases, your data will get stolen, your server will get broken and your time setting everything up will be wasted. Find out how to delete user pi<\/em> in the previous part of the tutorial here<\/a>.<\/p>\n\n\n\nUFW configuration<\/h4>\n\n\n\n
sudo ufw allow 20\nsudo ufw allow 21\nsudo ufw allow 22\nsudo ufw allow 25\nsudo ufw allow 80\nsudo ufw allow 143\nsudo ufw allow 443\nsudo ufw allow 465\nsudo ufw allow 587\nsudo ufw allow 993<\/code><\/pre>\n\n\n\nFTP ports<\/h5>\n\n\n\n
sudo ufw allow $PASSIVE_MIN:$PASSIVE_MAX\/tcp<\/code><\/pre>\n\n\n\nsudo ufw allow 667:700\/tcp<\/code><\/pre>\n\n\n\nEnabling UFW<\/h4>\n\n\n\n
sudo ufw enable<\/code><\/pre>\n\n\n\nChecking rules in place and removing them<\/h4>\n\n\n\n
sudo ufw status numbered<\/code><\/pre>\n\n\n\nsudo ufw delete x<\/code><\/pre>\n\n\n\nRestoring default rules<\/h4>\n\n\n\n
sudo ufw reset<\/code><\/pre>\n\n\n\nsudo ufw disable<\/code><\/pre>\n\n\n\nRunning IPv4 server only<\/h4>\n\n\n\n
\/etc\/default\/ufw<\/code><\/pre>\n\n\n\nIPV6=yes<\/code><\/pre>\n\n\n\nSSHGuard \u2013 security by banning offenders<\/h2>\n\n\n\n
![\"SSHGuard](\"https:\/\/www.sshguard.net\/media\/images\/after.png\")
Installing SSHGuard<\/h4>\n\n\n\n
sudo apt install sshguard<\/code><\/pre>\n\n\n\nWhitelisting your local IP<\/h4>\n\n\n\n
sudo nano \/etc\/sshguard\/whitelist<\/code><\/pre>\n\n\n\nClamAV \u2013 security with antivirus<\/h2>\n\n\n\n
![\"\"\/](\"https:\/\/www.clamav.net\/assets\/clamav-trademark.png\")
sudo apt install clamav<\/code><\/pre>\n\n\n\n![\"clamav](\"https:\/\/codedoneright.eu\/wp-content\/uploads\/clamav_scan.png\")
Setting up a daily scan<\/h4>\n\n\n\n
Creating custom folders for logs and scripts<\/h5>\n\n\n\n
sudo mkdir \/var\/zzz_log\nsudo mkdir \/var\/zzz_log\/clamav\nsudo mkdir \/var\/zzz_script<\/code><\/pre>\n\n\n\nsudo chown $USER:$USER -R \/var\/zzz_log\nsudo chown $USER:$USER -R \/var\/zzz_log\/clamav\nsudo chown $USER:$USER -R \/var\/zzz_script<\/code><\/pre>\n\n\n\nsudo chmod 755 -R \/var\/zzz_log\nsudo chmod 755 -R \/var\/zzz_log\/clamav\nsudo chmod 755 -R \/var\/zzz_script<\/code><\/pre>\n\n\n\nCreating the daily script itself<\/h5>\n\n\n\n
nano \/var\/zzz_script\/daily_scan.sh<\/code><\/pre>\n\n\n\n#!\/bin\/bash\nLOG=\/var\/zzz_log\/clamav_scan.log\nMYLOG=\/var\/zzz_log\/clamav_mylog.log\n\nFIND=\"$(which find)\"\nDATE=\"$(which date)\"\nGREP=\"$(which grep)\"\n\nTIMESTAMP=`$DATE '+%Y-%m-%d %H:%M'`\n\nif [[ ! -e \/tmp\/virus ]]; then\n mkdir \/tmp\/virus\nfi\n\ncheck_scan () {\nif [ `tail -n 12 ${LOG} | $GREP Infected | $GREP -v 0 | wc -l` != 0 ]\nthen\necho \"$TIMESTAMP VIRUS DETECTED\"\n1>> $MYLOG\necho \"`tail -n 50 ${LOG}`\" 1>> $MYLOG\necho \"#####################################\"\n1>> $MYLOG\nelse\necho \"$TIMESTAMP - scan has been performed as expected\" 1>> $MYLOG\nfi\n}\n\nclamscan -r \/ --move=\/tmp\/virus --max-filesize=600M --max-scansize=600M --exclude-dir=\/sys\/ --quiet --infected --log=${LOG}\ncheck_scan<\/code><\/pre>\n\n\n\nsudo chmod a+x \/var\/zzz_script\/daily_scan.sh<\/code><\/pre>\n\n\n\n--exclude-dir=\/path\/to\/folder\/<\/code><\/pre>\n\n\n\nWhat does the script even mean?<\/h4>\n\n\n\n
Scheduling the task<\/h5>\n\n\n\n
sudo crontab -e<\/code><\/pre>\n\n\n\n0 5 * * * \/var\/zzz_script\/daily_scan.sh<\/code><\/pre>\n\n\n\n