Secure Server Setup - MeepLabs/Node-Token-Authentication GitHub Wiki

Note

This guide is still in progress and will be frequently updated in the coming weeks.

Intro

This is a quick guide to help you understand how to setup a secure server to run any NodeJS application on, however it is tailored to Node-Token-Authentication since it directly relates to this project. This guide only covers system setup for Ubuntu servers running the latest Ubuntu server version. If you are concerned with security in computing you should always be up to date with system updates and patches.

• Update and Upgrade
• Adding a New User
• Securing SSH Access
• Setup a Firewall
• Install and Configure NodeJS

---

Update and Upgrade

The first thing you should always do when booting into a new system is update the software catalog and upgrade all packages that need to be upgraded.

sudo apt update
sudo apt upgrade

---

Adding a New User

Most hosting companies start you out on the root account so that you can configure your server easier. In order to have a more secure setup we will be removing remote access to the root user and adding a new one to use for remote management.

Add new user

Note: For the rest of this guide we will use {username} as a placeholder for your username. When you see this in the rest of the guide replace it with the username you choose for this command.

adduser {username}

Enter the details for the new user when prompted.

Add the new user to the sudo group

Adding your new user account to the sudo group will allow you to run root level commands inside of your user account using the program sudo which you will see a lot in the rest of this guide.

usermod -aG sudo {username}

Test sudo access

Now we will change to the new user and make sure that we have access to sudo so that we can continue to the rest of the guide.

su - {username}
whoami
sudo whoami

The first command changes to your new user. The second command should print your new {username} and the third command should print root after prompting for your account password.

---

Securing SSH Access

Ubuntu server ships with an SSH server which allows you to remotely connect to your server via the SSH protocol. The default settings are pretty good but widely considered insecure in production. To fix this we have to edit some configuration files to change the defaults.

Setup your own SSH key (if you don't have one already)

This is a little out of the scope of this documentation so I won't post the whole process here but there are great articles around the internet that show you how to create your SSH keys on all platforms like this one from Atlassian

Add your SSH key to the server

In order to connect to your server using your SSH key for authentication you have to add your public key to your servers authorized keys file. To do this edit ~/.ssh/authorized_keys with your preferred editor and paste your public key onto a new line at the bottom of the file. Make sure you save the file before closing.

Testing SSH authorization

The next steps will disable all other authentication except for SSH key authorization so make sure that your key works by closing your current connection and logging in without a password. If this is successful you are ready to move on to the next steps.

Disable root login

Edit /etc/ssh/sshd_config in your favorite text editor and look for PermitRootLogin property. Set that property to no so that the line looks like PermitRootLogin no

Remove password authentication

Now that SSH key authorization is setup and working we can disable password authentication which means that the only way to login to the system's remote SSH console is by using SSH key authorization.

Edit /etc/ssh/sshd_config in your favorite text editor and look for PasswordAuthentication property. Set that property to no so that the line looks like PasswordAuthentication no

Restart the SSH server to enable this change

sudo service ssh restart

Change default SSH port

SSH runs on port 22 by default as such attackers will know automatically what port to look for. A simple step to slightly improve security is to change that port so that the default SSH port will appear closed to any attacker and you can still securely login to your server remotely via SSH.

Edit /etc/ssh/sshd_config in your favorite text editor and look for Port property. Set that property to {port} (replacing {port} with your chosen port number) so that the line looks like Port {port}.

For the rest of this guide we will use {port} to refer to the port number you choose in this step.

---

Setup a Firewall

Ubuntu server ships with a great simple firewall called UFW (Uncomplicated Firewall) for this guide we will simply enable UFW with some rules for running NodeJS web applications. If you have more public facing services running you may need to allow more ports for them to work so keep that in mind.

Setup more secure defaults

These default rules make the server more secure by denying incoming requests on ports that are not specifically allowed but allowing outgoing access on all ports.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Enable ports we will be using

We will need to specifically enable incoming requests on the ports our application will be running on. This allows incoming connections on those ports as we have setup the default system to deny all ports unless specifically allowed.

sudo ufw allow http
sudo ufw allow https

Next we need to enable the SSH port that you chose in the Securing SSH Access section so that you will be able to login via SSH after the firewall is enabled. Make sure you replace {port} with the port number you chose before.

sudo ufw allow {port}

Enable UFW

Now we are ready to enable UFW so that it will apply the rules we have setup

sudo ufw enable

Check the status of UFW to ensure that our rules have been applied

sudo ufw status

Turn logging on for UFW so that you can view firewall logs later on if some issue occurs

sudo ufw logging on

---

Install and Configure NodeJS

Now that we have some more secure defaults for the server we can install and configure NodeJS and supporting programs like Node Package Manager npm. NodeSource provides a script that auto installs NodeJS and npm however it is insecure to blindly run shell scripts from the internet so we will download the script, review it and then run it. In order to do this you will need a basic understanding of bash (Bourne again shell) scripts.

wget -O installNode8.sh https://deb.nodesource.com/setup_8.x

Review the shell script installNode8.sh by opening it in your favorite editor. If you have decided if it is safe to run on your system we can give the file executable permissions, run the script as root and remove the old script from the system once the install is completed.

chmod +x installNode8.sh
sudo sh installNode8.sh
rm installNode8.sh