Need help? Chat now!

Hostwinds Blog

Search results for:


Tips to Strengthen the Backbone of your Server’s Security Featured Image

Tips to Strengthen the Backbone of your Server’s Security

by: Hostwinds Team  /  June 6, 2017


Most developers are no stranger to security. But if you're a business owner setting up your own Linux-based dedicated server or VPS, these tips will get you started on the right foot. By no means is this guide a complete, 100% foolproof way to protect your server from attackers. But if you take the time to put these tips into action, you'll be able to increase your server's security. Also, it's assumed that you have a basic understanding of Linux (you don't get stumped the moment you need to use the command line).

Most of this pertains to both dedicated servers and virtual private servers. However, a few will be more for dedicated servers. If you're looking for help with a VPS, please reach out to us via Live Chat.

Ports

Find out what ports are open on your server. Investigate each one to see what (if anything) is using it.

You can do this by using Nmap. It'll show you exactly what ports are open and what's using them. If needed, you can check this list of commonly used ports and the services that use them. You can also see which ports are open by using the following command:

# netstat -tulpn

Then close the ones that don't need to be open. Multiple open ports increase the odds of a hacker getting in and accessing services on the server. Especially if there are services with vulnerabilities that aren't patched, all they have to do is scan for open ports, which is easy to do (Nmap!).

SSH connections

Change the default port.

The second thing you should immediately do, if you haven't, is secure your SSH connections. The default port is 22, and every hacker in the world knows this. Leaving it set to 22 is just an invitation for trouble. Access your config file (on CentOS, you'll find it in /etc/ssh/sshd_config). Please change it to a different port and restart SSH.

Use rsakeys

Another good way of restricting SSH access is by using rsakeys to disable password authentication completely. Instructions are below…

Important! Warning: If you do this and lose your private key, there'll be no way you can access your server. You'll have to contact us, and we'll have to work with you to get back in. So please be very careful if you decide to do this, as with anything inside the config file.

Look for the following lines in the config file. If they're present, add no to the end of the line, so they look like the lines below. If they aren't present, add them:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Once you've successfully added these lines or put no on the end of the lines, restart SSH:

/etc/init.d/sshd restart

Change the root user

And yet another way to protect your SSH is by not using the default root user.

Note: Before you do this, please make sure you have correctly generated and set up a key pair. If you aren't sure how to do this, please see this guide.

To do this, first don't allow the root user to login via SSH by adding this to the config file:

PermitRootLogin without-password

This will only allow root logins if they have the correct SSH key (the public counterpart needs to be set in /root/.ssh/authorized_keys)

Now create a new user. Now in the config file, give that new user permission to log in as root by adding the following line and save the file:

AllowUsers username

Only the users you assign with AllowUsers will be able to do so (you can add more than one, add the same line again using the username you want to add).

You can even take it a step further by making it so users you've permitted to have to be logging in from a certain IP. You can see the additional variables you can use here.

Use a firewall

Though a firewall may seem simple and old-school, it's still something you shouldn't overlook. Both iptables and csf are common choices. They can help you automatically block IPs that come from areas that are known for hack attempt originations.

Cut the clutter

The more packages you have installed, the greater the odds that something has a vulnerability. Remove anything you don't need. Of course, this means you need to know what's what. You have to know which packages should be there.

Don't forget updates.

Staying up to date is one of the easiest things you can do to help prevent an attack. Fixes for security flaws and vulnerabilities are often pushed out in the form of updates to software, server packages, and pretty much anything you have installed on your server. This includes any CMS like Joomla, WordPress, Magento, or Drupal… as well as any themes or plugins used with them.

If you're on a dedicated server (not VPS)

Multiple partitions

Another thing you can do if you're on a dedicated server is to set up multiple partitions. If someone does get into the server, all of your data won't be sitting pretty in one convenient location for them. It'll also mean quicker recovery and less data loss in the case of a severe disaster.

Note: Whatever you do, no matter what type of server or hosting plan you're on, do regular backups. Keep multiple copies of these backups, with at least one stored somewhere remotely.

Conclusion

These are just some basic steps you can take to making your server more secure. However, there are many things not covered here and many things that depend on your situation. If your server will be handling lots of information or sensitive data, it's a good idea to talk to a security specialist or company that specializes in security to set up your server to the specifications needed.

As always, if you've found this helpful, please share.

Written by Hostwinds Team  /  June 6, 2017