Best Practices for Linux and Minecraft Hosting

Jul 17, 2016
Best Practices for Linux and Minecraft Hosting
  • While this article is constantly checked to ensure all commands are non-malicious, this article can be edited by all members. Some members may have malicious intent, to ensure you always maintain access to your server, after making changes never disconnect from the session the changes were made in until you confirm that you are able to log in to a new session, this prevents you locking yourself out either from a malicious change or an accident on your part. If during your attempt to log in to a new session you find yourself unable to connect, using the established session attempt to revert all completed changes.

    So, you just got your new Linux server and only know the basics to it, great! It's always nice to see people learning Linux.

    Protip: Get into good habits early, prevents having to correct bad habits later IE using root to login.

    Update your system!:
    Sometimes when you get a server (dedicated or VPS) the software running on it could be outdated. Updating is easy and will make sure you have the latest features and security fixes.

    For Ubuntu/Debian based distribution:
    Code (Text):
    apt-get update
    apt-get -y dist-upgrade
    For CentOS/RHEL based distribution:
    Code (Text):
    yum update
    Those commands will update all of your systems packages/apply distribution security patches thus making you more secure both OS side and application side.
    Add your own user:
    The second thing you must always do is add your own user account. Using purely root is the biggest mistake all new admins make. root is the single most powerful account on your system and if someone compromises it, you might as well wave goodbye to it all.
    Code (Text):
    adduser <name>
    So for me it'd be:
    Code (Text):
    adduser cbryars
    Depending on your exact setup you may or may not be asked to set a password at account creation. If you are not you can add one with

    Code (Text):
    passwd <name>
    This will let you change/add the password for the user account you just created, so for example, for me it would be:
    Code (Text):
    passwd cbryars
    Add yourself to sudo:
    Now you're probably thinking "So if I can't login as root, how am I to do actions like update or add new packages?" The answer is sudo. Sudo allows you to change to another user, run applications as other users and so on.
    So, first we need to install sudo, if it's not already installed.

    For Ubuntu/Debian based distribution:
    Code (Text):
    apt-get install sudo
    For CentOS/RHEL based distribution:
    Code (Text):
    yum install sudo
    Now that you've installed sudo, you'll need to add yourself to the sudoers, this is the easy part.

    Code (Text):
    usermod -a -G admin <name>
    So for me it'd be:
    Code (Text):
    usermod -a -G admin cbryars
    If you run a Debian based distribution, you'll need to restart the sudo service for this to take affect, just do: service sudo restart

    Quick tutorial to sudo!

    When you're logged into your user you'll want to change users a lot (trust me, it's a godsend) for that you'll want to use sudo -su, for example:
    Code (Text):
    sudo -su minecraft
    This will change your shell to the system username: minecraft
    All things you run while under sudo -su will be run AS THAT USER, so if you say run java, the process will be under the user minecraft!

    So say you want to get to root, this is even easier:
    Code (Text):
    sudo -s
    That's it, running that command will elevate you to a root shell and allow you to essentially login as root without logging in a root!

    If you wish to leave a sudo -su/sudo -s'd shell and get back to your normal user account, just run the command:
    Code (Text):
    exit
    It'll bring you back to your own shell.

    SSH Keys

    You are a bad source of entropy. Passwords are not particularly secure, even if you utilize fail2ban or similar software. For better security, you'll want to use SSH keys.

    As you've probably already have git installed, I'll spare you some time.

    If on Windows, open your command prompt and run
    Code (Text):
     ssh-keygen
    This will generate a 2048 bit RSA key for use with your server. It is strongly recommended that you add a strong passphrase. You must not share the keyfile with anyone - protect it as you would your password.

    In most cases, the command will tell you where the private and public keys are stored. Use the concatenate command (cat) to output your public key file, It should look a bit like this:

    Code (Text):
     ssh-rsa AAA.......
    Now that you've generated your keys, it's now time to tell the server what they are. Login to your server, and cd into the ~/.ssh directory. In some cases, you'll need to create the directory (use the mkdir command).

    Let's create the authorized_keys file and add our public key:
    Code (Text):

    touch ~/.ssh/authorized_keys
    cat "ssh-rsa AAA..." >> ~/.authorized_keys
     
    Set proper permissions:
    Code (Text):

    chmod 644 ~/.ssh/authorized_keys
     
    And you're done! Logout and login without typing your password to see if your key has been successfully installed. If it logs you in without asking for a passphrase, success!

    Now it's time to disable password authentication.

    The simplest way is to run these commands:
    Code (Text):

    sed -i 's|[#]*PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
    sed -i 's|UsePAM yes|UsePAM no|g' /etc/ssh/sshd_config
     
    Alternatively, you could edit the file yourself and change PasswordAuthentication to no, and UsePAM to no as well.
    Code (Text):
    vi /etc/ssh/sshd_config
    That's it for SSH keys. Read on to find out how to further lock down SSH.

    Modify your SSHd config:
    Now you're probably thinking "Why would I need to do this? It works, right?" and you'd be right, however a nice touch always is changing a few basic things to boost your security.
    First of all disable root.
    You have no idea how many times I have to tell people, disable the root account, you have sudo so why would you need to login as root?

    First of all, open up your sshd config:
    Code (Text):
    nano /etc/ssh/sshd_config
    Once you've done that, look for the words
    Code (Text):
    PermitRootLogin
    If it says
    Code (Text):
    PermitRootLogin yes
    , change it to
    Code (Text):
    PermitRootLogin no
    What this will do is disable SSH logins to the user root, you have sudo -s, so who cares, you certainly don't :D.

    Next step in the same file is to change the port.
    This is purely optional but it does prevent a lot of annoying bruteforce logs in your /var/log/auth.log
    Look for
    Code (Text):
    Port 22
    , it should be somewhere at the top of the file.
    Change it to some memorable number; for examples sake, 2421, all you change it to is
    Code (Text):
    Port 2421
    , it's as simple as that.


    IF YOU DO CHANGE THE PORT, REMEMBER IT. YOU'LL NEED IT TO LOG INTO SSH AGAIN.

    Then once you've done all that just simply do:

    For Ubuntu/Debian based distribution:
    Code (Text):
    service ssh restart
    For CentOS/RHEL based distribution:
    Code (Text):
    service sshd restart
    This will reload your configs!

    Help! I just logged out and now I can't log in again as root!

    As I went over before, you disabled root! Just login as the new user you created, once you do that if you need to get to say the root user, just do
    Code (Text):
    sudo -s
    This concludes this tutorial, I'll make another post on the more advanced more Minecrafty stuff.
  • Loading...
  • Loading...