Tech Site & Blog Blog about technology & programming

Posts Tagged SSH


29Sep/090

Essential security tips for servers

In this tutorial you will find out some of the necessary steps to secure you VPS or dedicated server.

1. First thing you need to do is to change your root password. Connect to server with SSH and type:
passwd

Then type in your new password, press enter, and retype it again.

2. It's not safe to allow root user to login throught SSH. So you need to create a new user:
useradd user_name

Then set the password for this user with:
passwd user_name

3. Now let's go to SSH settings.

Open file by typing:
nano /etc/ssh/sshd_config

And find/change following:
PermitRootLogin no
X11Forwarding no
AllowUsers user_name
Port 10000

It's important to change your SSH port to higher number (for example 10000).

4. Configure iptables:
iptables-save > /etc/iptables.rules
nano /etc/iptables.rules

Example rules:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i ! lo -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT #Change this port to SSH server's port
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT

Be careful to change your SSH port to the one you set in sshd_config, otherwise you wouldn't be able to log in to SSH server.

Import rules to iptables:
iptables-restore < /etc/iptables.rules

5. Set new iptables rules to reset during reboots:
sudo nano /etc/network/interfaces

...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.rules
...

6. And now reload SSH server:
sudo /etc/init.d/ssh reload

These are only essential steps to secure you server. Your server should now be a little bit more secure, but there is no such thing as 100% security.
Tagged as: server SSH security VPS iptables No Comments

Pages

Categories

Blogroll

Archive

Meta