Securing your VPS/Server

Securing your VPS/Server Guidelines

This guide is divided into several sections.

Congratulations by this time you have now a VPS deployed.

By default you will receive your VPS credentials upon deployment.

A full root access and add a new sudo user for basic administration tasks.


Connecting to your VPS via SSH


Basic SSH Configuration Tips:

Change the SSH Port away from the standard Port 22.


Change the SSH port

One of the most common points of attack is port 22. Changing this discourages many of them as well as scripts set to check for that port. In order to change the port do the following:


$ nano /etc/ssh/sshd_config


You should locate a line that looks like:


#Port 22


Un-comment this line and change the port number. A port number above 1024 is recommended. This section of your sshd_conf should now look like:


Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::


You can now save and exit nano (Ctrl x) and restart the SSHD service by issuing the following command:


$ service sshd restart

IMPORTANT: Make sure you can connect to SSH using the new port. Leave your current SSH session open and open a new session using the new port you set above. If you can connect to the new SSH session on the new port than everything is good. If you cannot, then you need to figure out why. This is why you left the original SSH session open, otherwise, you would be locked out of your server.


If you cannot connect to the port, you may need to add the new port in your IPTables. First, open your IPtables rules:


$ nano /etc/sysconfig/iptables


Next locate the COMMIT line and add the following above it making sure to change #### to the port you set for SSH:


iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT


You can now save and exit nano (Ctrl x) and restart the IPtables service:


$ service iptables restart


You should now try to connect to SSH again. If you still cannot connect to it, it would be best to set your SSH port back to 22 and file a ticket and we will help you set it up.



Use strong passwords for everything


One of the most common causes of system breach is weak passwords. For a strong password, follow a few simple guidelines:


Minimum password length should be 10 characters

Always use a mix of numbers, letters, uppercase, lowercase, and symbols (when allowed) Strong Password Example- s2pxP0iYZLwl0Le_qKtm If you need to change your root password, issue the following command and follow the prompts:


$ passwd
Disable Root User


It is a security risk to keep the root user enabled. Most operations and installs should not be done using root. Instead, create a regular user and if you need root privileges, use the su command.

To add a user, do the following replacing “namehere” with your desired username:


$ useradd yournewuser
$ passwd yournewuser


Now, disable root login to SSH by editing your sshd_config file:


$ nano /etc/ssh/sshd_config

PermitRootLogin no (make sure you remove the #)


Now save and exit Nano (Ctrl x) and restart SSHd:


$ service sshd restart



Install RkHunter


Every server needs something checking for rootkits, backdoors, md5 hashes (file changes), hidden files etc.. etc.. and RKHunter is great at this.

To install RKHunter, issue the following commands:


$ cd /usr/local/src

$ wget http://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz/download
$ tar -zxvf rkhunter-1.4.0.tar.gz
$ cd rkhunter-1.4.0
$ ./installer.sh --layout default --install/usr/local/bin/rkhunter --update/usr/local/bin/rkhunter --propupd
$ rm -rf /usr/local/src/rkhunter*


You need to setup a daily cron so that rkhunter will check its version and update if needed as well as run a scan. We will also be setting it so it will e-mail you the daily report.

Create and open in nano a new cron task/shell script by issuing the command below:


$ nano -w /etc/cron.daily/rkhunter.sh


Now add the following making sure to replace “PutYourServerNameHere” with your server's hostname and “your@email.here” with your email address:


#!/bin/sh(/usr/local/bin/rkhunter --versioncheck/usr/local/bin/rkhunter --update/usr/local/bin/rkhunter --cronjob --report-warnings-only) /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.here


If you don’t know your server’s hostname, you can find it by typing hostname in your ssh window. You will need to exit (Ctrl x) nano first or open another session.

 

You also need to secure the script making it usable only by root. To do this, issue the following command:


$ chmod 700 /etc/cron.daily/rkhunter.sh


Now test it and make sure it runs ok. To run rkhunter manually, issue the following command:


$ rkhunter -c -sk


That’s it. You're done and your server just became much safer!




Install CSF (Config Server Firewall)


CSF includes many different types of protection and is much more user friendly than using IPTables directly.

If you are not sure whether you have Perl installed issue the following command:


$ perl -v


If perl is installed, it will return which version. If it is not installed, issue the following command to install it:


$ yum install perl perl-libwww-perl perl-Time-HiRes -y


Now you can install CSF with command below:


rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh


Make sure that you have the required iptable modules by issuing the following command:


perl /etc/csf/csftest.pl


It is possible that you will be missing some modules, but as long as the test does not return a fatal error, you should be fine. You may lose some functionality of CSF with missing modules but it will work.

When you install CSF, it automatically whitelists your IP. It also starts in test mode which means it clears the rules after every 5 minutes. Make sure you leave it in test mode until you are sure your configuration is working properly. If you do lock yourself out, just wait for 5 minutes and you will be able to login again. The stock configuration is fine for most servers though some changes should be made.

If you changed your SSH port above, you need to make sure to add it to your CSF config. To edit the csf configuration, issue the following command:


nano /etc/csf/csf.conf


The first thing to edit is the TCP ports. You can delete port 22 on inbound and outbound since SSH uses your new port which should already have been added to the end of the inbound line, if not then add it. You will also need to add it to the outbound TCP:


# Allow incoming TCP portsTCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,####" # Allow outgoing TCP portsTCP_OUT = "20,21,22,25,53,80,110,113,443,####"


Next locate CONNLIMIT = “” You should limit the amount of concurrent connections per IP on the most commonly attacked ports which are 21 (FTP), 80 (HTTP), and your new SSH port. This setting is only for TCP.


CONNLIMIT = "21;5,####;5,80;20"


Next, configure port flood protection located directly under CONNLIMIT. Again, you should add the most commonly attacked ports. This setting limits the amount of connections allowed at one time on a specified port.


PORTFLOOD = "21;tcp;5;300,80;tcp;20;5,####;tcp;5;300"


To set the e-mail that CSF will send reports to, find X_ARF_TO = “” and add your email address:


X_ARF_TO = "your@email.here"


That’s all the configuration changes we are going to cover in this guide.


Save and exit your editor (Ctrl x) and start CSF by issuing the following command:


$ csf -h
(shows a list of csf commands) or csf -s (starts csf)


You need to open another SSH session and try to connect to your server. If you can connect without error your configuration is good!

Now we can disable testing mode so the lfd (login failure daemon) will be able to start.

To do this, go back into your csf.conf /etc/csf/csf.conf and find TESTING = “1″ and change it to “0″ then save and exit (Ctrl x). Restart CSF with the following command:


$ csf -r


Now you should remove the install archive by issuing the following command:


cd ../rm -fv csf.tgz


That's it! Now your server is more secure.


You may opt to install Fail2ban for banning offensive IP addresses.

  • 0 کاربر این را مفید یافتند
آیا این پاسخ به شما کمک کرد؟

مقالات مربوطه

How can I upload files to my server

You can upload files via ssh or sftp. You can use a ftp-client to connect to your server.You can...

How to Configure Ubuntu/Debian Network (Install Issue)

Here is a workaround for Ubuntu/Debian Based VPS Network Issue not up after install or...

Powered by WHMCompleteSolution