All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is there anything I can improve on my vps security?
Hello, I'm not the best in linux but I have my own little way of setting up my vps and would like to know if anyone might have any improvements over my setup. I only run a webserver on port 80. So what I do is turn off the ssh root login and set the max ssh failed passwords to 2 trys. But then I also have a port knocking system in iptables so lets say you have to knock port 6000 then 2222 before 3 seconds and then port 22 opens for the ssh connection to whoms ip knocked it open(for 5 seconds). I don't really want to use ssh keys, but I think my way is more then enough right? If someone does try to brute force it(after they find the port knocking) they only have 2 password attempts then get banned for 300 seconds.
Anyways. this is how I setup my debian 7 vps if anyone is curious. It's a vanilla security setup. I rather not use other programs like fail2ban.
Debian 7.0 64-bit
$ apt-get update
$ apt-get upgrade
$ apt-get install nano
$ adduser @@@@@@@@@@@
userpassword:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
$ nano /etc/ssh/sshd_config
change permit root login to no
add this to the bottom "MaxAuthTries 2"
$ /etc/init.d/ssh reload
######################### setting up the firewall #########################
$ nano /etc/iptables.temp.rules
"
*filter
-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
-N INTO-PHASE2
-A INTO-PHASE2 -m recent --name PHASE1 --remove
-A INTO-PHASE2 -m recent --name PHASE2 --set
-A INPUT -m recent --update --name PHASE1
-A INPUT -p tcp --dport @@@@ -m recent --set --name PHASE1
-A INPUT -p tcp --dport @@@@ -m recent --rcheck --name PHASE1 -j INTO-PHASE2
-A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name PHASE2 -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
"
$ iptables-restore < /etc/iptables.temp.rules
$ nano /etc/rc.local
iptables-restore < /etc/iptables.temp.rules
###################################### NOW the firewall is setup and done
any criticism is welcome
Comments
You can always turn off password auth and use private keys.
Could protect key SSH users with dual factor authentication. I enforce this on my critical servers when not logging in with public keys. Breaks brute force attacks.
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication (dual factor is an open standard. I personally use Keepass the generate the one use keys, then my phone as a backup)
Change ssh port
Close all unused ports.
I'm for sure going to look at the 2factor auth. I didn't know you could use that for ssh.
@Haliz http://lowendtalk.com/discussion/20572/guide-basic-steps-to-secure-your-ubuntu-debian-server
Mount your /tmp directory with noexec,nosuid. Disable PHP system functions: system, shell_exec, exec, passthru, proc_*, posix_*
Upgrade your ssh host keys to 4096 bit with
ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key -b 4096
Delete the dsa (too weak) & ecdsa keys (assume nsa compromised)
If the vps has ipv6 use ip6tables as well as iptables.
Get a static ip(s) from your isp, then you can restrict ssh to your ip(s).
My default security setup is pretty basic, but essentially:
New user & add to sudo group. Change SSH port, disallow root login, turn off password auth (I prefer to use keys). SCP my public key to the new user account and login.
Install UFW. Disallow all incoming, Allow all outgoing. Allow SSH/80/443/etc (anything else I'll need open). Enable the rules and check status.
Install Fail2Ban (there are other resource-friendly ways to do this, but I'm just used to it). Edit the jail.conf and set bantime to permanent.
On some more critical stuff I only allow SSH login from my home IP & VPN.
Everyone has a different level of security/paranoia, just pick what works for you and monitor your auth.log for any weird stuff popping up.
Personally, I use Duo Security on all of my machines.
https://www.duosecurity.com/
It's extremely easy to implement and works on Unix and Windows, multiple users and methods. One of the best features is the push notifications when I'm logging in.
I hear lot of people say to change the ssh port, I used to do that. But since my port 22 is closed by default and only opens when 2 special ports are knocked, you would think bots would just give up since 22 is closed. I doubt they would guess the two ports and then try port 22.
going to look into this too(the php part)
Not really needed...Okay, not needed within the next 20 years.1024 bit keys are just barely becoming crack'ible. Only wealthy governments with supercomputers have this capability. 2048 bit is exponentially more difficult. No one has cracked a 2048 key, no one will in the next 20 years at least.
That said, SSH keys are extremely easy to update (each should be used on one system at a time). Just update the keys if you still have the VPS in 20 years.
PGP/GPG keys on the other hand could see an advantage of using 4096 bit keys.
No one said the bots were made intelligently. :P
a) Setup an openvpn server
b) Close all ports except port 80
c) Connect to ssh through openvpn
Much less of a hassle than port knocking, and you can use a ta.key for increased security
I second Duo. It's easy and convenient. You can even remove password and/or key authentication and use only Duo to accept/decline login attempt.
I use sshguard because, well, you can install mail or ftp server and forget about it as an bruteforce vector. Sshguard/fail2ban can handle it.
If you want more system security, you should definitely configure selinux/tomoyo/grsecurity. Take a look at sysdig, it's a great tool to analyze how the attacker got an access in case if your system is hacked.
Be aware of rootkits. Some of them (like azazel) can hide connections, processes, files and so on. This can't be detected with usual tools like chkrootkit or rkhunter but they are easy to detect with simple hand-made utilites like this
http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
I don't see the point of fail2ban or sshgaurd over just using iptables? My firewall rules would block anyone after 3 connections. You'd only connect 3 times if you don't know the password, because I set the maxauth to drop anyone after 2 tries(forcing you to reconnect to trigger iptables). From what I understand sshgaurd/fail2ban checks the logs of what trys to login from ssh and my iptables just check the port. I know if I connect 3 times to my ssh within 300 seconds I get blocked for a bit. So that's the only difference for the ssh part of the programs?
I will check out
Fail2ban lets you whitelist certain ip's (eg. home ip or ur vpn ip), so u'll never get blocked. Also f2b offers permabanning ip's and u can even share the banlist between servers (requires some customization)
A method to protect your server's SSH login:
For 2 and 3 above, refer to my example IPTables rules (disregard the Asterisk section) as well as tutorial to set up port scan detection.