LowEndBox

Hosting Websites on Bare Minimum VPS/Dedicated Servers

Hardening the Security on your New Virtual Private Server

Tags: , , , Date/Time: November 1, 2016 @ 7:50 am, by Jon Biloh

lowendtutorial

Hardening the security on your VPS should be one of the first tasks you perform when buying a new VPS. As a result, we’ve provided several tips that will help you increase the security on your VPS.

When you buy a VPS, your provider will likely send you a default root password for your server. You will need to change this password to a string that only you know. But that’s just the start of what you should be doing to make sure your VPS is reasonably secure.

When you leave your password as the default password assigned by your hosting provider, your attack surface increases since someone will simply need to breach your email account in order to gain access to your VPS.

 

Changing Your Default Password

To begin this process, ensure that you have at least one root SSH session active. Reason being, you won’t be able to reset the password again if the test login fails after changing it’s authentication. This little trick can potentially save you from having to contact your VPS provider for a password reset.

The importance of a strong password cannot be stressed. You can always use one of the many password generating tools available such as pwgen or mkpasswd. You can also generate a secure password online using the following website:

http://passwordsgenerator.net

Once you have chosen the password, make sure to memorize it or store it in a safe location (not a post-it note on your screen).

Next, let’s assign the password. Execute the following command and type the password twice as asked:

>passwd

As advised above, keep create a terminal root SSH connection open while performing the password change. Open another SSH connection and make sure you can log in with new password.

 

Using Key Authentication for Remote Connections to your VPS

Another good way to avoid intruders is to connect to your VPS is by using Key Authentication.

Key file authentication increases security because it makes it even nearly impossible to gain unauthorized access to your VPS without the key file that you generate.

Let’s start with generating RSA key on your workstation:

> ssh-keygen -b 2048 -t rsa

The app will ask you for a password to guard your keys.

If you are using the app from a secure workstation you might not feel compelled to set one up. Having a password for your key files will only increase the security around your VPS since you can effectively restrict access to the repository for those authorized to access it.

The command will generate id_rsa and id_rsa.pub files in your .ssh directory.

Run the same command on your target VPS to create ~/.ssh folder with proper access credentials. After that, copy your own public RSA key from your computer:

> cat .ssh/id_rsa.pub | ssh root@YOUR-VPS-IP ‘cat >> .ssh/authorized_keys'

and apply proper permissions on your VPS:

> chmod 600 ~/.ssh/authorized_keys

Open another ssh connection. Key authentication is tried by default; However, you can explicitly require it to connect (the below is run from your computer):

ssh -i ~/.ssh/id_rsa root@your-VPS-IP

 

Advanced Key Authentication Tasks

If you want to completely replace the root password with the key file, you can change the following lines of your sshd configuration on your VPS:

PermitRootLogin without-password

PermitEmptyPasswords no

PasswordAuthentication no

After you have corrected the lines above, you must restart the sshd service to make them active:

> service sshd restart

As we described above, it is a good idea to always keep another SSH session open while you make these vital configuration changes.

 

Configuring the Firewall of your VPS

Another very important tip is to enable the firewall included with your distro. Many Linux operating systems already offer already a set of preconfigured rules, but we’d like to recommend the following rules:

>iptables -A INPUT -p icmp -j ACCEPT

>iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

>iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

>iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

>iptables -P INPUT DROP

This will leave the ICMP port, the SSH port and the web ports open (80 and 443).

If you always connect to your server from your home or office, you could avoid leaving the ICMP protocol open and add a source address to the SSH port rule.

By simply adding this rule, you will make it practically impossible to any intruder to gain access to your VPS. Another way to do this is to execute the following command:

> iptables -A INPUT -p tcp -m tcp –s YOUR-IP-ADDRESS --dport 22 -j ACCEPT

Once you have installed the appropriate firewall rules for your VPS, don’t forget to save them so that they will be reloaded upon the reboot of the server. You can easily do that with these two commands:

>iptables-save > /root/iptables-startup-rules
>echo “iptables-restore < /root/iptables-startup-rules” >> /etc/rc.local

Now you have blocked all unnecessary communication to and from your VPS.

 

More Tips for Hardening VPS Security

After your VPS is created, it will likely be probed and scanned by various different nodes on the internet. Some are harmless while others will be looking for security vulnerabilities to exploit.

With that in mind, the sooner you harden your security, the better it is for your VPS. Hardening your VPS a topic that books could be written about.

To help point you in the right direction, consider the following best practices for VPS security:

  • Install security updates for your VPS when necessary; especially if those relate to kernel and/or crucial OS components. You can visit com and look for its advisories.
  • Do not log in as root. Create another account, create key authentication for it and make that account a sudoer
  • Only install software that you absolutely need and avoid using software from untrusted sources.
  • Backup your data! If your provider allows creating entire VPS backups/snapshots, frequently utilize this service on a daily or weekly basis.
  • If data backup isn’t available to you through your providers, install backup software and make a copy of the important data on your VPS. Even the most secure systems are prone to a crash or you might delete a file by accident. In these cases, a good backup scheme will potentially save you hours of work.

4 Comments

  1. The first part of the line should not be > as that’s valid in shell scripts ( redirect output)

    Also use ssh-copy-id instead of making it yourself

    I always install the Google authenticator Pam too so logging in needs key/password plus code

    November 1, 2016 @ 8:15 am | Reply
  2. Z74:

    IMO one of the first and most important things to do is changing SSH port to something random.
    This way you will avoid a lot of trouble like bruteforce attempts and just a lot of failed logins, especially if you leave password authentification enabled.

    November 1, 2016 @ 8:23 am | Reply
    • REVERSE:

      I second that. Installing DenyHosts shows a huge amount of bruteforce attempts just on the second day of alive VPS, but if you change ssh’s port to something like 12322, it becomes zero.

      November 1, 2016 @ 4:12 pm | Reply
  3. REVERSE:

    BTW, did you, admins, see what e-mails are sent to user that is subscripting to a topic?
    It contains A LOT of inconsistently concatenated tags. Please, look into it and fix :)

    November 1, 2016 @ 4:39 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Quoting webhostingtalk.com URL seems to get binned consistently here, but I do peek into the spam box frequently to publish those comments.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *