Posts Tagged security
29Sep/090
Essential security tips for servers
In this tutorial you will find out some of the necessary steps to secure you VPS or dedicated server.1. First thing you need to do is to change your root password. Connect to server with SSH and type:
passwd
Then type in your new password, press enter, and retype it again.
2. It's not safe to allow root user to login throught SSH. So you need to create a new user:
useradd user_name
Then set the password for this user with:
passwd user_name
3. Now let's go to SSH settings.
Open file by typing:
nano /etc/ssh/sshd_config
And find/change following:
PermitRootLogin no
X11Forwarding no
AllowUsers user_name
Port 10000
It's important to change your SSH port to higher number (for example 10000).
4. Configure iptables:
iptables-save > /etc/iptables.rules
nano /etc/iptables.rules
Example rules:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i ! lo -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT #Change this port to SSH server's port
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
Be careful to change your SSH port to the one you set in sshd_config, otherwise you wouldn't be able to log in to SSH server.
Import rules to iptables:
iptables-restore < /etc/iptables.rules
5. Set new iptables rules to reset during reboots:
sudo nano /etc/network/interfaces
...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.rules
...
6. And now reload SSH server:
sudo /etc/init.d/ssh reload
These are only essential steps to secure you server. Your server should now be a little bit more secure, but there is no such thing as 100% security.