June
06
0 likes
0 comments
0 shares

Tips to Strengthen the Backbone of your Server’s Security

Featured image for tips on securing your dedicated server or VPS

 

Featured image for tips on securing your dedicated server or VPS

 

Most developers are no stranger to security. But if you’re a business owner setting up your own Linux based dedicated server or VPS, these tips will get you started on the right foot. By no means is this guide a complete, 100% foolproof way to protect your server from attackers. But if you take the time to put these tips into action you’ll be able to increase your server’s security. Also, it’s assumed that you have a basic understanding of Linux (you don’t get stumped the moment you need to use the command line).

Most of this pertains to both dedicated servers and virtual private servers. However, a few will be more for dedicated servers. If you’re looking for help with a VPS, you can also see our knowledgebase for VPS here.

 

Ports

Find out what ports are open on your server. Investigate each one to see what (if anything) is using it.

You can do this by using Nmap. It’ll show you exactly what ports are open and what’s using them. If needed, you can check this list of commonly used ports and the services that use them. You can also see which ports are open by using the following command:

# netstat -tulpn

Then close the ones that don’t need to be open. Multiple open ports just increase the odds of a hacker being able to get in and access services on server. Especially if there are services with vulnerabilities that aren’t patched. All they have to do is scan for open ports, which is easy to do (Nmap!).

 

SSH connections

Change the default port

The second thing you should immediately do if you haven’t, is secure your SSH connections. The default port is 22 and every hacker in the world knows this. Leaving it set to 22 is just an invitation for trouble. Access your config file (on CentOS, you’ll find it in /etc/ssh/sshd_config). Change it to a different port and restart SSH.
 
Use rsakeys

Another good way of restricting SSH access is by using rsakeys to completely disable password authentication. Instructions are below…

 

Important! Warning: If you do this and then you lose your private key, there’ll be no way you can access your server. You’ll have to contact us and we’ll have to work with you to get back in. So please be very careful if you decide to do this, as with anything inside the config file.

 

Be very careful to not lose your SSH private key

 

Look for the following lines in the config file. If they’re present, add no to the end of the line so they look like the lines below. If they aren’t present, add them:
 

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

 

Once you’ve successfully added these lines or put no on the end of the lines, restart SSH:

/etc/init.d/sshd restart

 

Change the root user

And yet another way to protect your SSH is by not using the default root user.

 

Note: Before you do this, please make sure you have correctly generated and setup a key pair. If you aren’t sure how to do this, please see this guide.

To do this, first don’t allow the root user to login via SSH by adding this to the config file:
 

PermitRootLogin without-password

 

This will only allow root logins if they have the correct SSH key (the public counterpart needs to be set in /root/.ssh/authorized_keys)

Now create a new user. Now in the config file, give that new user permission to login as root by adding the following line and save the file:
 

AllowUsers username

 

Only the users you assign with AllowUsers will be able to do so (you can add more than one, just add the same line again using the username you want to add).

You can even take it a step further by making it so users you’ve given permission to have to be logging in from a certain IP. You can see the additional variables you can use here.

 

Use a firewall

Though a firewall may seem simple and old-school, it’s still something you shouldn’t overlook. Both iptables and csf are common choices. They can help you automatically block IPs that come from areas that are known for hack attempt originations.

 

Cut the clutter

 

Clean up server clutter for better security

 

The more packages you have installed, the greater the odds that something has a vulnerability. Remove anything you don’t need. Of course, this means you need to know what’s what. You have to know which packages should be there.

 

Don’t forget updates

Staying up to date is one of the easiest things you can do to help prevent an attack. Fixes for security flaws and vulnerabilities are often pushed out in the form of updates to software, server packages and pretty much anything you have installed on your server. This includes any CMS like Joomla, WordPress, Magento or Drupal… as well as any themes or plugins that are used with them.

 

If you’re on a dedicated server (not vps)

Multiple partitions

Another thing you can do if you’re on a dedicated server is to set up multiple partitions. In the event that someone does get into the server, all of your data won’t be sitting pretty in one convenient location for them. It’ll also mean quicker recovery and less data loss in the case of a severe disaster.

 

Note: Whatever you do, no matter what type of server or hosting plan you’re on, do regular backups. Keep multiple copies of these backups, with at least one stored somewhere remotely.

 

Conclusion

These are just some basic steps you can take to making your server more secure. However, there are many things not covered here and many things that depend on your situation. If your server will be handling lots of information or sensitive data, it’s a good idea to talk to a security specialist or company that specializes in security to setup your server to specifications needed.

As always, if you’ve found this helpful, please share.

Share:

LEAVE A COMMENT


This site uses Akismet to reduce spam. Learn how your comment data is processed.