New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How do you secure your server?
I'm pretty new at this topic. I have used remote server for long time. But It was for just development. And I didn't care about security. But now server may go to production. I wanna secure my server.
What do you suggest me? What do you do when you secure your server?
I changed the SSH port to different one. Added SSH key with pass pharase. What are the next steps I should take?
Comments
Firewall? Maybe disabled the root and create new user with sudo?
There are may things to do. So specific answer
Or hire an Admin?
Yeah. Disableing root user and create one sounds good idea. I will check for firewall.
Securing a server is not just about installing firewall, disable root, etc... You think it is ok but in the background, hackers are now trying to get in to some of your sites, doing something this and that which for sure, you are not aware of. It takes a lot of effort and not just by installing something and let it run/do the work.
Yes that's why I'm asking. What can I do beyond enabling firewall or installing programs?
With a password.
Those are few things on top of my head atm.
Backup is mandatory !!
Is the password like this $(#(3fjA33399$PRPaapP44_=3941_$&%&!#$*$kff worse than using ssh keys?
@RedSox if root login is disabled it should be fine as an attacker would also have to guess the user. Don't use 'user' or 'admin' & enable fail2ban!
What services is the server running?
Changing your ssh port is useless if you ask me.
As said, make Backups and also Test them! There is nothing worse than a Backup that you cant use.
This would be important to know as well..
Just added a new user, disabled a root user but chinese ips are still knocking on my cozy VPS. When I just change the ssh port from 22 to 5444 it seems the best way to make them stop, because they're looking for easy ways, not difficult ones but if a serious person wants to hack you, he'll find out your ssh port and will be knocking all day long. In that case fail2ban will be more effective, I suppose.
It's not but only if that's the ssh key password.
auth.log
should be much cleaner after using thisMongoDB, Parse Server, Minio Storage and posibly NGinx. They are on same server now but in production I will seperate them
Just follow the advice of Plesk, they show brand new and previously unknown ways to secure servers. Linux Server Security – Best Practices For 2020
To save you reading through the whole article, here are the most important headlines from the Plesk advisory:
Ah you should have included that info in your original post.
Thanks I will check it out.
Actually I was asking for general system security. But you are right. Security may change based on the application
If you turn off IPv4 too, you will boost linux server security even more!
LOL, what a bullsh*t...
By powering it off 😎
Don't forget a good fail2ban, as listed in the link provided by @kmmm
I made a tutorial about this quite a while ago where I listed fail2ban, https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/
But really instead of using fail2ban, I would actually just use iptables.
https://www.thatsgeeky.com/2011/02/escalating-consequences-with-iptables/
It works great with repeating brute force attempts:
Offence #1 30 min
Offence #2 2 hrs
..
Offence #5+ 1 mo
If you are a hosting provider or simply running many vpses via OpenVZ 7 solusvm, for example, you can simply replace the INPUT with FORWARD like the following rules and it will apply for all forwarding ips so you don't need to add them in each VPS:
https://pastebin.com/6tDcpPiv
Pretty handy!
Yeah, that's right. Disabling IPv4, IPv6 and of course the upcoming IPv4+ protocol will be the best security measure (for him).
However, depending on how he disable the protocols, there could be still dangerous traffic, such as ARP. For the ultimate security boost I recommend to simply disable the whole interface.
Still, you’re vulnerable to attacks like side channel. Bury it in a thirty feet concrete structure
Since you wanted a general approach, read your official OS docs, you'll discover a lot about their recommendations on security. The Unix SysAdmin book is also a good resource. Once you've the essentials down. Go to each one of your software vendors docs and do the same, especially with network-facing ones. I.e DB security can go a long way if you disable network access. Sockets and peer with postgres, for instance.
It easy to secure your server with only one command
shutdown -h now
Absolutely irresponsible. The lizard people down there will hack the sh*t out of you. NSA is also a fan of hardware mods, so better think about where you get your hardware from. An own wafer fab is the minimum.
Seriously: It depends on what this server is used for and it's value to you or your project/company. Protecting Joe Plumbers website and setting up the latest crypto coin app or the new Wikileaks server are vastly different things. When it doesn't need to be public then don't make it public. Among the other things already mentioned here and considering something which is not just a 5$ worth of value. Use apparmor or selinux to harden your app. Seccomp filters. Hide services which don't need to be public to everyone in a tunnel. This includes ssh (gives away info on your OS). Choose wireguard for tunneling. Only run software on the server which the app requieres to run. If you run any kind of web facing app make it hard for someone to figure out what program and which version is used. Customize the programs on the server to only include the functionality you need, maybe compile them yourself.
Try to pentest your server and see where it leaks. Document all the stuff you just setup. Backups!