Most developers are no stranger to security. But if you’re a business owner setting up your own Linux based dedicated server or VPS, these tips will get you started on the right foot. By no means is this guide a complete, 100% foolproof way to protect your server from attackers. But if you take the time to put these tips into action you’ll be able to increase your server’s security. Also, it’s assumed that you have a basic understanding of Linux (you don’t get stumped the moment you need to use the command line).
Most of this pertains to both dedicated servers and virtual private servers. However, a few will be more for dedicated servers. If you’re looking for help with a VPS, you can also see our knowledgebase for VPS here.
Find out what ports are open on your server. Investigate each one to see what (if anything) is using it.
You can do this by using Nmap. It’ll show you exactly what ports are open and what’s using them. If needed, you can check this list of commonly used ports and the services that use them. You can also see which ports are open by using the following command:
# netstat -tulpn
Then close the ones that don’t need to be open. Multiple open ports just increase the odds of a hacker being able to get in and access services on server. Especially if there are services with vulnerabilities that aren’t patched. All they have to do is scan for open ports, which is easy to do (Nmap!).
Change the default port
The second thing you should immediately do if you haven’t, is secure your SSH connections. The default port is 22 and every hacker in the world knows this. Leaving it set to 22 is just an invitation for trouble. Access your config file (on CentOS, you’ll find it in /etc/ssh/sshd_config). Change it to a different port and restart SSH.
Another good way of restricting SSH access is by using rsakeys to completely disable password authentication. Instructions are below…
Important! Warning: If you do this and then you lose your private key, there’ll be no way you can access your server. You’ll have to contact us and we’ll have to work with you to get back in. So please be very careful if you decide to do this, as with anything inside the config file.
Look for the following lines in the config file. If they’re present, add no to the end of the line so they look like the lines below. If they aren’t present, add them:
Once you’ve successfully added these lines or put no on the end of the lines, restart SSH:
Change the root user
And yet another way to protect your SSH is by not using the default root user.
Note: Before you do this, please make sure you have correctly generated and setup a key pair. If you aren’t sure how to do this, please see this guide.
To do this, first don’t allow the root user to login via SSH by adding this to the config file:
This will only allow root logins if they have the correct SSH key (the public counterpart needs to be set in /root/.ssh/authorized_keys)
Now create a new user. Now in the config file, give that new user permission to login as root by adding the following line and save the file:
Only the users you assign with AllowUsers will be able to do so (you can add more than one, just add the same line again using the username you want to add).
You can even take it a step further by making it so users you’ve given permission to have to be logging in from a certain IP. You can see the additional variables you can use here.
Use a firewall
Though a firewall may seem simple and old-school, it’s still something you shouldn’t overlook. Both iptables and csf are common choices. They can help you automatically block IPs that come from areas that are known for hack attempt originations.
Cut the clutter
The more packages you have installed, the greater the odds that something has a vulnerability. Remove anything you don’t need. Of course, this means you need to know what’s what. You have to know which packages should be there.
Don’t forget updates
Staying up to date is one of the easiest things you can do to help prevent an attack. Fixes for security flaws and vulnerabilities are often pushed out in the form of updates to software, server packages and pretty much anything you have installed on your server. This includes any CMS like Joomla, WordPress, Magento or Drupal… as well as any themes or plugins that are used with them.
If you’re on a dedicated server (not vps)
Another thing you can do if you’re on a dedicated server is to set up multiple partitions. In the event that someone does get into the server, all of your data won’t be sitting pretty in one convenient location for them. It’ll also mean quicker recovery and less data loss in the case of a severe disaster.
Note: Whatever you do, no matter what type of server or hosting plan you’re on, do regular backups. Keep multiple copies of these backups, with at least one stored somewhere remotely.
These are just some basic steps you can take to making your server more secure. However, there are many things not covered here and many things that depend on your situation. If your server will be handling lots of information or sensitive data, it’s a good idea to talk to a security specialist or company that specializes in security to setup your server to specifications needed.
As always, if you’ve found this helpful, please share.