Best Practices for Linux and Minecraft Hosting

Discussion in 'Wiki Discussion' started by jtaylor69, Sep 10, 2013.

  1. jtaylor69

    jtaylor69 Retired Moderator

    Best Practices for Linux and Minecraft Hosting
    While this article is constantly checked to ensure all commands are non-malicious, this article can be edited by all members. Some members may have malicious intent, to ensure you always maintain access to your server, after making changes never disconnect from the session the changes were made in until you confirm that you are able to log in to a new session, this prevents you locking yourself out either from a malicious change or an accident on your part. If during your attempt to log in to a new session you find yourself unable to connect, using the established session attempt to revert all completed changes.

    So, you just got your new Linux server and only know the basics to it, great! It's always nice to see people learning Linux.

    Protip: Get into good habits early, prevents having to correct bad habits later IE using root to login.

    Update your system!:
    Sometimes when you get a server (dedicated or VPS) the software running on it could be outdated. Updating is easy and will make sure you have the latest features and security fixes.

    For Ubuntu/Debian based distribution:
    Code (Text):
    apt-get update
    apt-get -y dist-upgrade
    For CentOS/RHEL based distribution:
    Code (Text):
    yum update
    Those commands will update all of your systems packages/apply distribution security patches thus making you more secure both OS side and application side.
    Add your own user:
    The second thing you must always do is add your own user account. Using purely root is the biggest mistake all new admins make. root is the single most powerful account on your system and if someone compromises it, you might as well wave goodbye to it all.
    Code (Text):
    adduser <name>
    So for me it'd be:
    Code (Text):
    adduser cbryars
    Depending on your exact setup you may or may not be asked to set a password at account creation. If you are not you can add one with

    Code (Text):
    passwd <name>
    This will let you change/add the password for the user account you just created, so for example, for me it would be:
    Code (Text):
    passwd cbryars
    Add yourself to sudo:
    Now you're probably thinking "So if I can't login as root, how am I to do actions like update or add new packages?" The answer is sudo. Sudo allows you to change to another user, run applications as other users and so on.
    So, first we need to install sudo, if it's not already installed.

    For Ubuntu/Debian based distribution:
    Code (Text):
    apt-get install sudo
    For CentOS/RHEL based distribution:
    Code (Text):
    yum install sudo
    Now that you've installed sudo, you'll need to add yourself to the sudoers, this is the easy part.

    Code (Text):
    usermod -a -G admin <name>
    So for me it'd be:
    Code (Text):
    usermod -a -G admin cbryars
    If you run a Debian based distribution, you'll need to restart the sudo service for this to take affect, just do: service sudo restart

    Quick tutorial to sudo!

    When you're logged into your user you'll want to change users a lot (trust me, it's a godsend) for that you'll want to use sudo -su, for example:
    Code (Text):
    sudo -su minecraft
    This will change your shell to the system username: minecraft
    All things you run while under sudo -su will be run AS THAT USER, so if you say run java, the process will be under the user minecraft!

    So say you want to get to root, this is even easier:
    Code (Text):
    sudo -s
    That's it, running that command will elevate you to a root shell and allow you to essentially login as root without logging in a root!

    If you wish to leave a sudo -su/sudo -s'd shell and get back to your normal user account, just run the command:
    Code (Text):
    It'll bring you back to your own shell.

    SSH Keys

    You are a bad source of entropy. Passwords are not particularly secure, even if you utilize fail2ban or similar software. For better security, you'll want to use SSH keys.

    As you've probably already have git installed, I'll spare you some time.

    If on Windows, open your command prompt and run
    Code (Text):
    This will generate a 2048 bit RSA key for use with your server. It is strongly recommended that you add a strong passphrase. You must not share the keyfile with anyone - protect it as you would your password.

    In most cases, the command will tell you where the private and public keys are stored. Use the concatenate command (cat) to output your public key file, It should look a bit like this:

    Code (Text):
     ssh-rsa AAA.......
    Now that you've generated your keys, it's now time to tell the server what they are. Login to your server, and cd into the ~/.ssh directory. In some cases, you'll need to create the directory (use the mkdir command).

    Let's create the authorized_keys file and add our public key:
    Code (Text):

    touch ~/.ssh/authorized_keys
    cat "ssh-rsa AAA..." >> ~/.authorized_keys
    Set proper permissions:
    Code (Text):

    chmod 644 ~/.ssh/authorized_keys
    And you're done! Logout and login without typing your password to see if your key has been successfully installed. If it logs you in without asking for a passphrase, success!

    Now it's time to disable password authentication.

    The simplest way is to run these commands:
    Code (Text):

    sed -i 's|[#]*PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
    sed -i 's|UsePAM yes|UsePAM no|g' /etc/ssh/sshd_config
    Alternatively, you could edit the file yourself and change PasswordAuthentication to no, and UsePAM to no as well.
    Code (Text):
    vi /etc/ssh/sshd_config
    That's it for SSH keys. Read on to find out how to further lock down SSH.

    Modify your SSHd config:
    Now you're probably thinking "Why would I need to do this? It works, right?" and you'd be right, however a nice touch always is changing a few basic things to boost your security.
    First of all disable root.
    You have no idea how many times I have to tell people, disable the root account, you have sudo so why would you need to login as root?

    First of all, open up your sshd config:
    Code (Text):
    nano /etc/ssh/sshd_config
    Once you've done that, look for the words
    Code (Text):
    If it says
    Code (Text):
    PermitRootLogin yes
    , change it to
    Code (Text):
    PermitRootLogin no
    What this will do is disable SSH logins to the user root, you have sudo -s, so who cares, you certainly don't :D.

    Next step in the same file is to change the port.
    This is purely optional but it does prevent a lot of annoying bruteforce logs in your /var/log/auth.log
    Look for
    Code (Text):
    Port 22
    , it should be somewhere at the top of the file.
    Change it to some memorable number; for examples sake, 2421, all you change it to is
    Code (Text):
    Port 2421
    , it's as simple as that.


    Then once you've done all that just simply do:

    For Ubuntu/Debian based distribution:
    Code (Text):
    service ssh restart
    For CentOS/RHEL based distribution:
    Code (Text):
    service sshd restart
    This will reload your configs!

    Help! I just logged out and now I can't log in again as root!

    As I went over before, you disabled root! Just login as the new user you created, once you do that if you need to get to say the root user, just do
    Code (Text):
    sudo -s
    This concludes this tutorial, I'll make another post on the more advanced more Minecrafty stuff.
    • Funny Funny x 1
    • Informative Informative x 1
  2. jtaylor69

    jtaylor69 Retired Moderator

    Corin, just wondering whether you will be following up this post?
    If not, can members please contribute to the above page.

  3. Completely forgot, I'll finish it off today.
    • Informative Informative x 1
  4. Awesome tutorial and i expectedly like the "update your shit" section!
    • Like Like x 1
    • Funny Funny x 1
  5. Awesome!

    I'm probably just retarded... but I would like some help here. :3 Never used sudo and groups before... apologies for stupidness, lol.

    OS: CentOS 6.4

    If I use: "usermod -a -G admin <user>" the output is: "usermod: group 'admin' does not exist". How do I create a group called "admin" which will have all privileges of the root user?
    • Agree Agree x 1

  6. Code (Text):
    addgroup admin
    echo "%admin  ALL=(ALL:ALL) ALL" >> /etc/sudoers
    usermod -a -G admin <user>
    or, just

    usermod -a -G sudo <user>

    Same result.
  7. Thank you Sir! :D

    EDIT: Used groupadd instead of addgroup.
    #7 Spxify, Sep 11, 2013
    Last edited: Sep 11, 2013
    • Like Like x 1
  8. Added my old easier method again.
  9. I have a little problem with sudo... if I sudo -s, it doesn't recognize commands like "ruby --version" etc. How to solve this? :3
  10. sudo -s is simply to get you to a root shell, that's all it is.

    Just do sudo -s
    Then run your command :p
  11. That's what I'm doing, it doesn't recognize commands like "ruby --version", while in the root shell after using sudo -s. :/
  12. Well, is ruby installed for the root user? :p
  13. Hi I'm new to linux but i have a small question wouldn't Sudo give the normal user as much power as Root
    So would'nt it still be a high security risk?
  14. Its like giving OP to certain users. You only give it to people you trust! So yourself and other owners etc. Because you create a group with sudo you can just add users to the group.

    EDIT: Sorry didn't read it properly but the way I did was adding a users to a usergroup, therefore I don't have to set individual permissions. But what he is talking about is giving a single users access to sudo not every user on the system!
  15. brajo Maybe add some details about not using ftp but using SFTP as well? FTP doesn't use encryption, so it sides passwords in plain text. This means that passwords can be stolen very easily and therefore your servers can be breached! Its good practice to use SFTP [SSH file transfer protocol] due to the fact it uses client/server authentication and encryption.
    • Agree Agree x 2
  16. jtaylor69

    jtaylor69 Retired Moderator

    Corin is responsible for the article, EternityServers, but I'll gladly pass on the suggestion to him.
  17. Might want to mention about changing firewall rules before doing this so they can log back in ;)
    Not talking from past experience honest :(
  18. I know this is kind of stupid, but when you have a server running in an SSH script, how do you scroll up.
  19. If you're running your server inside a screen session, ctrl+esc+a enters copy mode which will enable you to pageup pagedown. esc to exit copy mode.
    • Like Like x 1
  20. I assume this works, but on windows 8 brings up the fancy start menu. If someone can confirm this working on windows 7, that would be good.