Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
How do you secure your server?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

How do you secure your server?

uzaysanuzaysan Member

I'm pretty new at this topic. I have used remote server for long time. But It was for just development. And I didn't care about security. But now server may go to production. I wanna secure my server.

What do you suggest me? What do you do when you secure your server?

I changed the SSH port to different one. Added SSH key with pass pharase. What are the next steps I should take?

«1

Comments

  • ViridWebViridWeb Member, Provider

    Firewall? Maybe disabled the root and create new user with sudo?

    There are may things to do. So specific answer

    Or hire an Admin?

    Thanked by 1uzaysan

    ViridWeb.com - cPanel Web Hosting | Litespeed + SSH Access + Free Backups + Free Transfers.
    CIN: U72900WB2018OPC226882 | GST: 19AAGCV4976R1Z4

  • uzaysanuzaysan Member

    @ViridWeb said:
    Firewall? Maybe disabled the root and create new user with sudo?

    There are may things to do. So specific answer

    Or hire an Admin?

    Yeah. Disableing root user and create one sounds good idea. I will check for firewall.

  • uzaysan said: But now server may go to production.

    Securing a server is not just about installing firewall, disable root, etc... You think it is ok but in the background, hackers are now trying to get in to some of your sites, doing something this and that which for sure, you are not aware of. It takes a lot of effort and not just by installing something and let it run/do the work.

    Specially 4 U | Not Throttled
    JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001.

  • uzaysanuzaysan Member

    jonesolutions said: It takes a lot of effort and not just by installing something and let it run/do the work.

    Yes that's why I'm asking. What can I do beyond enabling firewall or installing programs?

  • emmd19emmd19 Member

    With a password.

  • sdglhmsdglhm Member
    1. Update your system
    2. block unwanted ports, if you've a static IP. lock down login to that IP
    3. Use SSH-key based access. Disable password access if you can
    4. Enable firewall, always try to keep SELINUX active
    5. ModSecurity, ClamAV, rkhunter are a few good to have tools
    6. Disable root user
    7. Backup, Backup, Backup
    8. Backup
    9. Backup

    Those are few things on top of my head atm.

    Thanked by 3uzaysan pbx Ouji

    time wasters please dont comment as we are a serious buyer
    Programmer trying to do Logo Designs

  • cazrzcazrz Member
    edited April 30
    1. Use ssh keys
    2. Iptables input drop all except your ips, open web port.
  • @sdglhm said:
    1. Update your system
    2. block unwanted ports, if you've a static IP. lock down login to that IP
    3. Use SSH-key based access. Disable password access if you can
    4. Enable firewall, always try to keep SELINUX active
    5. ModSecurity, ClamAV, rkhunter are a few good to have tools
    6. Disable root user
    7. Backup, Backup, Backup
    8. Backup
    9. Backup

    Those are few things on top of my head atm.

    Backup is mandatory !!

    Thanked by 1pbx
  • RedSoxRedSox Member

    Is the password like this $(#(3fjA33399$PRPaapP44_=3941_$&%&!#$*$kff worse than using ssh keys?

  • pbxpbx Member
    edited April 30

    @RedSox if root login is disabled it should be fine as an attacker would also have to guess the user. Don't use 'user' or 'admin' & enable fail2ban!

    Thanked by 1RedSox
  • rcy026rcy026 Member

    What services is the server running?

  • GromGrom Member

    Changing your ssh port is useless if you ask me.

    Thanked by 2rajprakash skorous
  • rubenruben Member, Provider

    As said, make Backups and also Test them! There is nothing worse than a Backup that you cant use.

    rcy026 said: What services is the server running?

    This would be important to know as well..

    iFog GmbH - Webhosting, DNS Hosting, vServer, IP-Transit, IXP VMs, RIPE LIR, BGP VMs
    Tunnelbroker - Free BGP v6/v4 Tunnels

  • RedSoxRedSox Member
    edited April 30

    @pbx said:
    @RedSox if root login is disabled it should be fine as an attacker would also have to guess the user. Don't use 'user' or 'admin' & enable fail2ban!

    Just added a new user, disabled a root user but chinese ips are still knocking on my cozy VPS. When I just change the ssh port from 22 to 5444 it seems the best way to make them stop, because they're looking for easy ways, not difficult ones :) but if a serious person wants to hack you, he'll find out your ssh port and will be knocking all day long. In that case fail2ban will be more effective, I suppose.

  • xaocxaoc Member

    @RedSox said:
    Is the password like this $(#(3fjA33399$PRPaapP44_=3941_$&%&!#$*$kff worse than using ssh keys?

    It's not but only if that's the ssh key password. :D

    So Say We All

  • kmmmkmmm Member
    • I think you have done all of this but still: https://www.linode.com/docs/security/securing-your-server/
    • Lets ban blacked list ips: https://github.com/trick77/ipset-blacklist. The included list is about 80k ips. Your auth.log should be much cleaner after using this :)
    • Monitor your server: https://hetrixtools.com. Many included: resource stats, uptime,... I suggest creating a supported method like Discord server (free in case you don't know) or Slack ... and lets Hetrix notify you.
    • Hetrix may not make you feel secure enough? Setup email notify on ssh login. You can search google for it.
    • Learn how crontab works so you can automatically install secure update.
    • ...
  • uzaysanuzaysan Member
    edited April 30

    @rcy026 said:
    What services is the server running?

    MongoDB, Parse Server, Minio Storage and posibly NGinx. They are on same server now but in production I will seperate them

  • Tr33nTr33n Member
    edited April 30

    Just follow the advice of Plesk, they show brand new and previously unknown ways to secure servers. Linux Server Security – Best Practices For 2020

    To save you reading through the whole article, here are the most important headlines from the Plesk advisory:

    • Change /boot to read-only
    • Turn off IPv6 to boost Linux server security
    • GnuPG encryption for web host security
    Thanked by 1uzaysan
  • cazrzcazrz Member

    @uzaysan said:

    @rcy026 said:
    What services is the server running?

    MongoDB, Parse Server, Minio Storage and posibly NGinx. They are on same server now but in production I will seperate them

    Ah you should have included that info in your original post.

  • uzaysanuzaysan Member

    @Tr33n said:
    Just follow the advice of Plesk, they show brand new and previously unknown ways to secure servers. Linux Server Security – Best Practices For 2020

    To save you reading through the whole article, here are the most important headlines from the Plesk advisory:

    • Change /boot to read-only
    • Turn off IPv6 to boost Linux server security
    • GnuPG encryption for web host security

    Thanks I will check it out.

    @cazrz said:

    @uzaysan said:

    @rcy026 said:
    What services is the server running?

    MongoDB, Parse Server, Minio Storage and posibly NGinx. They are on same server now but in production I will seperate them

    Ah you should have included that info in your original post.

    Actually I was asking for general system security. But you are right. Security may change based on the application

  • JarryJarry Member

    @Tr33n said:
    To save you reading through the whole article, here are the most important headlines from the Plesk advisory:

    • Turn off IPv6 to boost Linux server security

    If you turn off IPv4 too, you will boost linux server security even more!
    LOL, what a bullsh*t...

  • thedpthedp Member

    By powering it off 😎

    Thanked by 1desperand

    DomainPeon
    Ongoing Auctions: LowEndTalk | HostedTalk

  • matlagmatlag Member

    Don't forget a good fail2ban, as listed in the link provided by @kmmm

  • HostUpHostUp Member, Provider
    edited April 30

    I made a tutorial about this quite a while ago where I listed fail2ban, https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/

    But really instead of using fail2ban, I would actually just use iptables.

    https://www.thatsgeeky.com/2011/02/escalating-consequences-with-iptables/

    It works great with repeating brute force attempts:

    Offence #1 30 min
    Offence #2 2 hrs
    ..
    Offence #5+ 1 mo

    If you are a hosting provider or simply running many vpses via OpenVZ 7 solusvm, for example, you can simply replace the INPUT with FORWARD like the following rules and it will apply for all forwarding ips so you don't need to add them in each VPS:

    https://pastebin.com/6tDcpPiv

    Pretty handy!

    Thanked by 1uzaysan

    David B. from HostUp, LLC | Web & VPS Hosting in Netherlands | DDoS protection | $3,50/mo
    Also writes awesome tutorials for ubuntu on blog

  • Tr33nTr33n Member

    Jarry said: If you turn off IPv4 too, you will boost linux server security even more!

    Yeah, that's right. Disabling IPv4, IPv6 and of course the upcoming IPv4+ protocol will be the best security measure (for him).

    However, depending on how he disable the protocols, there could be still dangerous traffic, such as ARP. For the ultimate security boost I recommend to simply disable the whole interface.

    Thanked by 2jsg dedotatedwam
  • sdglhmsdglhm Member

    For the ultimate security boost I recommend to simply disable the whole interface.

    Still, you’re vulnerable to attacks like side channel. Bury it in a thirty feet concrete structure

    time wasters please dont comment as we are a serious buyer
    Programmer trying to do Logo Designs

  • Since you wanted a general approach, read your official OS docs, you'll discover a lot about their recommendations on security. The Unix SysAdmin book is also a good resource. Once you've the essentials down. Go to each one of your software vendors docs and do the same, especially with network-facing ones. I.e DB security can go a long way if you disable network access. Sockets and peer with postgres, for instance.

  • momkinmomkin Member

    It easy to secure your server with only one command :smiley:
    shutdown -h now

  • @sdglhm said:

    Still, you’re vulnerable to attacks like side channel. Bury it in a thirty feet concrete structure

    Absolutely irresponsible. The lizard people down there will hack the sh*t out of you. NSA is also a fan of hardware mods, so better think about where you get your hardware from. An own wafer fab is the minimum.

    Seriously: It depends on what this server is used for and it's value to you or your project/company. Protecting Joe Plumbers website and setting up the latest crypto coin app or the new Wikileaks server are vastly different things. When it doesn't need to be public then don't make it public. Among the other things already mentioned here and considering something which is not just a 5$ worth of value. Use apparmor or selinux to harden your app. Seccomp filters. Hide services which don't need to be public to everyone in a tunnel. This includes ssh (gives away info on your OS). Choose wireguard for tunneling. Only run software on the server which the app requieres to run. If you run any kind of web facing app make it hard for someone to figure out what program and which version is used. Customize the programs on the server to only include the functionality you need, maybe compile them yourself.
    Try to pentest your server and see where it leaks. Document all the stuff you just setup. Backups!

    1. SSH key login
    2. Firewall
    3. Renew password every month
    4. Finally regular backups
  • jsgjsg Member

    Entertaining read ...

    Thanks no.

  • itfzeitfze Member

    You also have to use LiteSpeed service for better server performance and uptime of your VPS.

    99WEB.HOST
    cPanel Web Hosting | SSL | Softaculous Auto Installer in just $6/year

  • JordJord Moderator, Provider

    I use pandas armed with bamboo.....

    BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
    BaseServ Certified to ISO/IEC 27001:2013

  • TimboJonesTimboJones Member

    @jonesolutions said:

    uzaysan said: But now server may go to production.

    Securing a server is not just about installing firewall, disable root, etc... You think it is ok but in the background, hackers are now trying to get in to some of your sites, doing something this and that which for sure, you are not aware of. It takes a lot of effort and not just by installing something and let it run/do the work.

  • DignusDataDignusData Member without signature
    • NCIS will help you but in real life better have good sysadmin (yes not cheap) but only human help can prevent and protect your server
    Thanked by 1webcraft
  • TheKillerTheKiller Member

    If you turn off your server, hackers will not be able to access it.

    Thanked by 2webcraft default
  • ABCVABCV Member, Provider

    On a serious note, it looks like you're not too familiar so if you are planning to host client accounts then hire an admin. Ask them to do an initial server harding and optimisation.

  • jeparamediajeparamedia Member
    edited May 3

    i don't know 😁

  • Ishu1998Ishu1998 Member

    Firewall + Disable Root, its all I can think of as of now.
    Rest is your script's security.

  • cazrzcazrz Member
    1. plan an offsite backup
    2. use ssh keys
    3. use non-root user
    4. install persistent firewall then iptables input drop all except ..., iptables output drop all except ...
    5. use reverse proxy
    6. use kernel care or other rebootless kernel tools if possible
    7. make sure all your web files and directories are non-wrtiable for world.
    8. if it is a web server atleast only install web server or mysql/mariadb other services like emails/dns put it elsewhere.
    9. do not use FTP, use sftp,scp or better yet git.
  • HostkeyHostkey Member
    1. secure connection
    2. SSH keys authentication
    3. secure file transfer protocol
    4. secure sockets layer certificates
    5. private networks and VPNs
    6. monitor login attempts
    7. manage users
    8. password requirements
    9. password expiration policy
    10. passphrases for server passwords
    11. update and upgrade regularly
    12. remove or turn off all unnecessary services
    13. hide server information
    14. use intrusion detection systems
    15. file and service auditing
    16. firewall
    17. back ip
    18. multi-server environments
    19. virtual isolated environments
  • martynsmartyns Member

    About SSH -22 Port, I would suggest you to restrict / close that port to only your IP with iptables
    If you have dynamic IP, even more ranges you can do that also simply by adding /16 on the end, of course 1 static IP is best. Can't get Static IP at least not for free from your ISP?

    • Then just install VPN on your VPS, and use that IP for using SSH (Port 22) Access.
  • ben47955ben47955 Member

    I set password to "12345" and waiting for someone to lock my server. Enjoy.

    Thanked by 1pbx
  • NyrNyr Member

    Your vanilla, updated system is "secure" by default. Inexperienced sysadmins seem to forget that.

    We then could talk about hardening specific services, but that is very specific and ample, not many generalizations can be made.

    Thanked by 2pbx lokuzard
  • @ben47955 said:
    I set password to "12345" and waiting for someone to lock my server. Enjoy.

    And then have your server suspended, no refund.

  • ben47955ben47955 Member

    @TimboJones said:

    @ben47955 said:
    I set password to "12345" and waiting for someone to lock my server. Enjoy.

    And then have your server suspended, no refund.

    Yeah, this happening time to time, I don't understand why :(

    Thanked by 1pbx
  • I changed my password to Password, open all ports, and wait for another person to manage it for me, so that even I couldn't login ,

    Thanked by 1pbx
  • serv_eeserv_ee Member

    @ErawanArifNugroho said:
    I changed my password to Password, open all ports, and wait for another person to manage it for me, so that even I couldn't login ,

    Free managed dedicated, noice!

    I swear to drunk Im not god

  • pbxpbx Member
    edited May 20

    ben47955 said: Yeah, this happening time to time, I don't understand why

    The problem is that you don't choose your sysadmin: you will likely be lucky and find somebody taking good care of your server, but in some cases you can end up with an asshole doing nasty shit with it.

    Maybe try using a longer password? I use 1234567890 and never had any VPS suspended. Sometimes bandwidth consumption is a bit too high for my taste, but what can I say? Those people secure my server for free, I'm not gonna complain!

    Thanked by 1ErawanArifNugroho
  • JordJord Moderator, Provider

    Bamboo of course. Makes it nice and strong....

    BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
    BaseServ Certified to ISO/IEC 27001:2013

Sign In or Register to comment.