Securing An Opensim Ubuntu Server is not a comprehensive article. Instead, it is an accompaniment to the series of blogs I have written about running Opensim on Ubuntu. Yet nothing in this article is specific to opensimulator. The processes described can be applied to any Linux server, though the setup method will vary from distribution to distribution.

All servers connected to the internet can and probably will be targeted at some time. Opensim servers (like many others) frequently suffer brute force attacks. Additionally, many services in frequent use can give attackers a doorway into a server. Services like PHPMyAdmin offer useful mechanisms for managing databases. However, if left to their default settings they can open doors for attackers.

Covered in this article

  • Changing the SSH port
  • Creating and using SSH key pairs
  • Installing and setting up fail2ban
  • UFW (uncomplicated firewall)
  • Web-Tools Security (change the default path and add a second password layer).

Securing An Opensim Ubuntu Server – Changing the SSH port

By default SSH uses port 22, many attacks run scans for machines with port 22 open. Changing the port will not stop a determined attack. However it will help to reduce the number of attacks on a server.

Update UFW to allow the new port

This first stage is VITAL. If the new SSH port is not in the firewall rules prior to activation; the server will become inaccessible remotely!

First pick an available port number. To find a list of open ports on the system do:

sudo lsof -i -P -n | grep LISTEN

The output will look similar to

systemd-r     536 systemd-resolve   13u  IPv4   17704      0t0  TCP 127.0.0.53:53 (LISTEN)
mono          583        www-data    5u  IPv4   21917      0t0  TCP *:8084 (LISTEN)
nginx         651            root    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
nginx         652        www-data    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
nginx         653        www-data    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
nginx         654        www-data    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
nginx         655        www-data    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
nginx         656        www-data    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
nginx         657        www-data    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
nginx         658        www-data    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
nginx         659        www-data    6u  IPv4   19213      0t0  TCP *:80 (LISTEN)
mysqld        668           mysql   26u  IPv4   17157      0t0  TCP 127.0.0.1:3306 (LISTEN)

This needs to be done with opensim already running unless the port numbers it uses are known. The port numbers are on the right just before where it says “(listen). Pick a 4 character number which is not in use.” For example, in this system, 2789 could be chosen. It is not in use and not used by opensimulator. Next, add this port to the UFW.

sudo ufw allow 2789/tcp
Rule added
Rule added (v6)

Changing the SSH port

  • Edit the SSH config file with a text editor such as nano
  • Restart SSH
sudo nano /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

Near the top of the file change “Port 22” to to the port number added to the firewall above. Save and exit with

CTRL+0 ENTER
CTRL+X

Restart the ssh server with

sudo systemctl restart ssh

IMPORTANT before exiting the SSH terminal, open a new terminal connection and try to connect. If for any reason it doesn’t work, revert the changes using the existing open terminal window. To access the server using the new SSH port use

ssh -p port userName@ipaddress/url

Replace “port” with the new port just set. User name with the “userName” with the account user name and “ipaddress/url” with either the ip address or url of the server.

Block Port 22 with UFW

Now SSH is working on a different port, it is time to block port 22 using UFW.

sudo ufw delete allow 22/tcp

Securing An Opensim Ubuntu Server – Create And Add SSH key pair

Generate the key pair

This stage is done on the local machine rather than the server. Windows users can use Power shell instead of a Linux terminal. First, generate a strong key pair.

 ssh-keygen -b 4096

Unless there is an existing key pair just click enter to accept the default location for the key pair. When prompted add a new passphrase twice. Key pair authentication does not need a passphrase, it just provides an additional layer of security. To use the key pair without a passphrase click enter when promoted without entering a passphrase. Out similar to the following is shown.

The key fingerprint is:
SHA256:eZH85b/egcqTP7Cpy6hbH02+HnDCmoXStLprRlXSZ7M sara@ns524967
The key's randomart image is:
+---[RSA 4096]----+
|        .        |
|       . + =     |
|       .o * o .  |
|      o.+. E o   |
|     ..+S=.o. .  |
|     .o +.B.  .. |
|    .. + . +=. ..|
|     oo + o=+.  +|
|    o=+. =+=o.oo.|
+----[SHA256]-----+

Copy the key pair to the server

Linux users

ssh-copy-id -p port userName@remoteHost

Windows Users – Using Power Shell or Linux users unable to use ssh-copy-id

cat ~/.ssh/id_rsa.pub | ssh -p port userName@remoteHose "cat >> ~/.ssh/authorized_keys"

Replace the port, userName, remote host and file name (if not the default) with the ones matching your local machine/server. Connect to the remote host exactly as before. If a passphrase is present, it will ask for it. But if a passphrase is not present, it will connect just using the keypair.

Turn off password authentication

Edit the SSH config file again

sudo nano /etc/ssh/sshd_config

Scroll down until “PasswordAuthentication no” and change “no” to “yes” then save, exit and restart SSH.

CTRL+O ENTER
CTRL+X
sudo systemctl restart ssh

Securing An Opensim Ubuntu Server – Installing and setting up fail2ban

Fail to ban monitors login attempts and updates firewall rules to block addresses which repeatedly fail authentication. Install fail2ban with:

sudo apt-get install fail2ban

Now start the service and enable it at startup.

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Next setup a new local jail configuration file by creating it with a text editor such as nano.

sudo nano /etc/fail2ban/jail.local

Add the content listed below changing the port number to match the port number used for SSH.

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Now save, close and restart fail2ban

CTRL+O
CTRL+X
sudo systemctl restart fail2ban

Securing An Opensim Ubuntu Server – Web-Tools Security

Something to note: These examples use HTTP to keep the examples simple. Using HTTP instead of HTTPS is a not a good idea. HTTPS should always be used. Certbot can be used to get free SSL certificates.

In this section, two stages will be covered. Firstly moving web tools away from their default URLs to alternatives and then adding a new Nginx password. The example uses PhpMyAdmin but applies to most web-based system tools. Similarly, while Nginx is is the webserver in the model, similar processes are available with Apache2.

Changing the default URL

We are starting from the assumption you already have PhpMyAdmin setup and working under Nginx. Additionally that the symbolic link created between PhpMyAdmin and the web folders is called “phpmyadmin” (commonly seen in tutorials). Firstly rename the folder to something unusual. Unfortunately, there are a lot of scans for this folder precisely because it is so common.

Navigate to the folder containing the link PhpMyAdmin link (probably /var/www or /var/www/public_html) and rename it to something generic. In this example, the generic name is “cleaning”.

sudo mv phpmyadmin nothinghere

Use a web browser to confirm this simple change, try navigating to the original URL/phpmyadmin. It will give you a 404 error. Similarly, if you navigate to URL/cleaning (per the example) it will display PhpMyAdmins login page.

Password Protect the site

There are multiple ways of creating an SSH password file. For this example, an Apache2 tool is used since that is the one used on the Nginx site. Install apache2-utils with

sudo apt-get install apache2-utils

create a new password file

sudo htpasswd /etc/nginx/.htpasswdNothingHere user

Replace “.htpasswdClean” with another meaningful file name starting with a . so it remains hidden and “user” with the user name for the password.

Next edit the default Nginx server block. In the code below change “default” to the name of the default server block in the servers configuration. It should look something like:

server {
    . . .

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }



    . . .
}

Add a new location section so its similar to below, changing “nothinghere” to match the folder name you chose above and the “.htpasswdNothingHere” to the file name used in the section above.

server {
    . . .

    location / {
        try_files $uri $uri/ =404;
    }

    location /nothinghere {
        auth_basic "Admin Login";
        auth_basic_user_file /etc/nginx/.htpasswdNothingHere;
    }

    . . .
}

Save the file, exit and restart nginx

CTRL+O ENTER
CTRL+X
sudo systemctl restart nginx

Now visit the site again, it will request authentication before even offering the PhpMyAdmin login page. This prevents scans for PhpMyAdmin and adds a double layer of password security to it.

Securing An Opensim Ubuntu Server - Nginx authentication screen

Securing An Opensim Ubuntu Server – Previous And Related Articles

Securing An Opensim Ubuntu Server is part of a series of blogs written about using Opensimulator on Ubuntu.

Other Related Articles

Fire And Ice Grid – Grid Attack And Restore.

Written by Sara Payne

Student of Computer Science at The University Of Hull and small. The proprietor of 2 small businesses (1st Class Travel Taxis and The Fire And Ice Opensim Grid), also an app-based student of Italian.

This article has 5 comments

  1. Pingback: Grid Attack And Restore - Fire And Ice Grid - Fire And Ice Grid Blog

  2. Pingback: Setup Ubuntu 20.04 for Opensimulator - Sara Payne's BlogSara Payne's Blog

  3. Pingback: Opensim with multiple Robust services on Ubuntu - Sara Payne's BlogSara Payne's Blog

  4. Pingback: Automated Opensim Startup and Shutdown - Sara Payne's BlogSara Payne's Blog

  5. Pingback: Ubuntu Opensim Server Backup. - Sara Payne's BlogSara Payne's Blog

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.