New on LowEndTalk? Please Register and read our Community Rules.
How do you secure your server?
I'm pretty new at this topic. I have used remote server for long time. But It was for just development. And I didn't care about security. But now server may go to production. I wanna secure my server.
What do you suggest me? What do you do when you secure your server?
I changed the SSH port to different one. Added SSH key with pass pharase. What are the next steps I should take?
LowEndBox & LowEndTalk.
Comments
Firewall? Maybe disabled the root and create new user with sudo?
There are may things to do. So specific answer
Or hire an Admin?
ViridWeb.com - Reseller Web Hosting | Litespeed + SSH Access + Free Blesta + IPv6 Compatible.
CIN: U72900WB2018OPC226882 | GST: 19AAGCV4976R1Z4
Yeah. Disableing root user and create one sounds good idea. I will check for firewall.
Securing a server is not just about installing firewall, disable root, etc... You think it is ok but in the background, hackers are now trying to get in to some of your sites, doing something this and that which for sure, you are not aware of. It takes a lot of effort and not just by installing something and let it run/do the work.
net ( The Linux Specialist ) || Specially 4 U | Not Throttled
JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001.
Yes that's why I'm asking. What can I do beyond enabling firewall or installing programs?
With a password.
Those are few things on top of my head atm.
I repeat, RAID is not backup | Looking for a developer for your next project? - Hire me
Backup is mandatory !!
Is the password like this $(#(3fjA33399$PRPaapP44_=3941_$&%&!#$*$kff worse than using ssh keys?
@RedSox if root login is disabled it should be fine as an attacker would also have to guess the user. Don't use 'user' or 'admin' & enable fail2ban!
What services is the server running?
Changing your ssh port is useless if you ask me.
As said, make Backups and also Test them! There is nothing worse than a Backup that you cant use.
This would be important to know as well..
iFog GmbH - Anycast DNS & CDN; vServer in DE, UK, US, NO, CH, ES, JP, SG; IP-Transit, IXP VMs, RIPE LIR, BGP VMs
Tunnelbroker - Free BGP v6/v4 Tunnels
Just added a new user, disabled a root user but chinese ips are still knocking on my cozy VPS. When I just change the ssh port from 22 to 5444 it seems the best way to make them stop, because they're looking for easy ways, not difficult ones
but if a serious person wants to hack you, he'll find out your ssh port and will be knocking all day long. In that case fail2ban will be more effective, I suppose.
It's not but only if that's the ssh key password.
So Say We All
auth.logshould be much cleaner after using thisMongoDB, Parse Server, Minio Storage and posibly NGinx. They are on same server now but in production I will seperate them
Just follow the advice of Plesk, they show brand new and previously unknown ways to secure servers. Linux Server Security – Best Practices For 2020
To save you reading through the whole article, here are the most important headlines from the Plesk advisory:
Ah you should have included that info in your original post.
Thanks I will check it out.
Actually I was asking for general system security. But you are right. Security may change based on the application
If you turn off IPv4 too, you will boost linux server security even more!
LOL, what a bullsh*t...
By powering it off 😎
Tech/Hosting & Miscellaneous Domain Names For Sale!
Don't forget a good fail2ban, as listed in the link provided by @kmmm
I made a tutorial about this quite a while ago where I listed fail2ban, https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/
But really instead of using fail2ban, I would actually just use iptables.
https://www.thatsgeeky.com/2011/02/escalating-consequences-with-iptables/
It works great with repeating brute force attempts:
Offence #1 30 min
Offence #2 2 hrs
..
Offence #5+ 1 mo
If you are a hosting provider or simply running many vpses via OpenVZ 7 solusvm, for example, you can simply replace the INPUT with FORWARD like the following rules and it will apply for all forwarding ips so you don't need to add them in each VPS:
https://pastebin.com/6tDcpPiv
Pretty handy!
David B. from HostUp, LLC | Web & VPS Hosting in Netherlands | DDoS protection | $3,50/mo
Also writes awesome tutorials for ubuntu on blog
Yeah, that's right. Disabling IPv4, IPv6 and of course the upcoming IPv4+ protocol will be the best security measure (for him).
However, depending on how he disable the protocols, there could be still dangerous traffic, such as ARP. For the ultimate security boost I recommend to simply disable the whole interface.
Still, you’re vulnerable to attacks like side channel. Bury it in a thirty feet concrete structure
I repeat, RAID is not backup | Looking for a developer for your next project? - Hire me
Since you wanted a general approach, read your official OS docs, you'll discover a lot about their recommendations on security. The Unix SysAdmin book is also a good resource. Once you've the essentials down. Go to each one of your software vendors docs and do the same, especially with network-facing ones. I.e DB security can go a long way if you disable network access. Sockets and peer with postgres, for instance.
It easy to secure your server with only one command
shutdown -h now
Absolutely irresponsible. The lizard people down there will hack the sh*t out of you. NSA is also a fan of hardware mods, so better think about where you get your hardware from. An own wafer fab is the minimum.
Seriously: It depends on what this server is used for and it's value to you or your project/company. Protecting Joe Plumbers website and setting up the latest crypto coin app or the new Wikileaks server are vastly different things. When it doesn't need to be public then don't make it public. Among the other things already mentioned here and considering something which is not just a 5$ worth of value. Use apparmor or selinux to harden your app. Seccomp filters. Hide services which don't need to be public to everyone in a tunnel. This includes ssh (gives away info on your OS). Choose wireguard for tunneling. Only run software on the server which the app requieres to run. If you run any kind of web facing app make it hard for someone to figure out what program and which version is used. Customize the programs on the server to only include the functionality you need, maybe compile them yourself.
Try to pentest your server and see where it leaks. Document all the stuff you just setup. Backups!
Entertaining read ...
The problem with democracy is that by definition > 85% of the voters are not particularly intelligent.
You also have to use LiteSpeed service for better server performance and uptime of your VPS.
99WEB.HOST
cPanel Web Hosting | SSL | Softaculous Auto Installer in just $6/year
I use pandas armed with bamboo.....
BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
BaseServ Certified to ISO/IEC 27001:2013
If you turn off your server, hackers will not be able to access it.
On a serious note, it looks like you're not too familiar so if you are planning to host client accounts then hire an admin. Ask them to do an initial server harding and optimisation.
i don't know 😁
Firewall + Disable Root, its all I can think of as of now.
Rest is your script's security.
About SSH -22 Port, I would suggest you to restrict / close that port to only your IP with iptables
If you have dynamic IP, even more ranges you can do that also simply by adding /16 on the end, of course 1 static IP is best. Can't get Static IP at least not for free from your ISP?
I set password to "12345" and waiting for someone to lock my server. Enjoy.
Your vanilla, updated system is "secure" by default. Inexperienced sysadmins seem to forget that.
We then could talk about hardening specific services, but that is very specific and ample, not many generalizations can be made.
OpenVPN installer | WireGuard installer
And then have your server suspended, no refund.
Yeah, this happening time to time, I don't understand why
I changed my password to Password, open all ports, and wait for another person to manage it for me, so that even I couldn't login ,
Free managed dedicated, noice!
hm. I've lost a machine.. literally lost. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
The problem is that you don't choose your sysadmin: you will likely be lucky and find somebody taking good care of your server, but in some cases you can end up with an asshole doing nasty shit with it.
Maybe try using a longer password? I use 1234567890 and never had any VPS suspended. Sometimes bandwidth consumption is a bit too high for my taste, but what can I say? Those people secure my server for free, I'm not gonna complain!
Bamboo of course. Makes it nice and strong....
BillingServ - Easy, simple, and hassle-free online invoicing solution. Contact us today.
BaseServ Certified to ISO/IEC 27001:2013