Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How do you secure your server?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How do you secure your server?

uzaysanuzaysan Member

I'm pretty new at this topic. I have used remote server for long time. But It was for just development. And I didn't care about security. But now server may go to production. I wanna secure my server.

What do you suggest me? What do you do when you secure your server?

I changed the SSH port to different one. Added SSH key with pass pharase. What are the next steps I should take?

«13

Comments

  • ViridWebViridWeb Member, Host Rep

    Firewall? Maybe disabled the root and create new user with sudo?

    There are may things to do. So specific answer

    Or hire an Admin?

    Thanked by 1uzaysan
  • @ViridWeb said:
    Firewall? Maybe disabled the root and create new user with sudo?

    There are may things to do. So specific answer

    Or hire an Admin?

    Yeah. Disableing root user and create one sounds good idea. I will check for firewall.

  • uzaysan said: But now server may go to production.

    Securing a server is not just about installing firewall, disable root, etc... You think it is ok but in the background, hackers are now trying to get in to some of your sites, doing something this and that which for sure, you are not aware of. It takes a lot of effort and not just by installing something and let it run/do the work.

  • jonesolutions said: It takes a lot of effort and not just by installing something and let it run/do the work.

    Yes that's why I'm asking. What can I do beyond enabling firewall or installing programs?

  • With a password.

    1. Update your system
    2. block unwanted ports, if you've a static IP. lock down login to that IP
    3. Use SSH-key based access. Disable password access if you can
    4. Enable firewall, always try to keep SELINUX active
    5. ModSecurity, ClamAV, rkhunter are a few good to have tools
    6. Disable root user
    7. Backup, Backup, Backup
    8. Backup
    9. Backup

    Those are few things on top of my head atm.

    Thanked by 3uzaysan pbx Ouji
  • cazrzcazrz Member
    edited April 2020
    1. Use ssh keys
    2. Iptables input drop all except your ips, open web port.
  • @sdglhm said:
    1. Update your system
    2. block unwanted ports, if you've a static IP. lock down login to that IP
    3. Use SSH-key based access. Disable password access if you can
    4. Enable firewall, always try to keep SELINUX active
    5. ModSecurity, ClamAV, rkhunter are a few good to have tools
    6. Disable root user
    7. Backup, Backup, Backup
    8. Backup
    9. Backup

    Those are few things on top of my head atm.

    Backup is mandatory !!

    Thanked by 1pbx
  • Is the password like this $(#(3fjA33399$PRPaapP44_=3941_$&%&!#$*$kff worse than using ssh keys?

  • pbxpbx Member
    edited April 2020

    @RedSox if root login is disabled it should be fine as an attacker would also have to guess the user. Don't use 'user' or 'admin' & enable fail2ban!

    Thanked by 1RedSox
  • What services is the server running?

  • GromGrom Member

    Changing your ssh port is useless if you ask me.

  • rubenruben Member, Host Rep

    As said, make Backups and also Test them! There is nothing worse than a Backup that you cant use.

    rcy026 said: What services is the server running?

    This would be important to know as well..

  • RedSoxRedSox Member
    edited April 2020

    @pbx said:
    @RedSox if root login is disabled it should be fine as an attacker would also have to guess the user. Don't use 'user' or 'admin' & enable fail2ban!

    Just added a new user, disabled a root user but chinese ips are still knocking on my cozy VPS. When I just change the ssh port from 22 to 5444 it seems the best way to make them stop, because they're looking for easy ways, not difficult ones :) but if a serious person wants to hack you, he'll find out your ssh port and will be knocking all day long. In that case fail2ban will be more effective, I suppose.

  • xaocxaoc Member

    @RedSox said:
    Is the password like this $(#(3fjA33399$PRPaapP44_=3941_$&%&!#$*$kff worse than using ssh keys?

    It's not but only if that's the ssh key password. :D

  • kmmmkmmm Member
    • I think you have done all of this but still: https://www.linode.com/docs/security/securing-your-server/
    • Lets ban blacked list ips: https://github.com/trick77/ipset-blacklist. The included list is about 80k ips. Your auth.log should be much cleaner after using this :)
    • Monitor your server: https://hetrixtools.com. Many included: resource stats, uptime,... I suggest creating a supported method like Discord server (free in case you don't know) or Slack ... and lets Hetrix notify you.
    • Hetrix may not make you feel secure enough? Setup email notify on ssh login. You can search google for it.
    • Learn how crontab works so you can automatically install secure update.
    • ...
  • uzaysanuzaysan Member
    edited April 2020

    @rcy026 said:
    What services is the server running?

    MongoDB, Parse Server, Minio Storage and posibly NGinx. They are on same server now but in production I will seperate them

  • Tr33nTr33n Member
    edited April 2020

    Just follow the advice of Plesk, they show brand new and previously unknown ways to secure servers. Linux Server Security – Best Practices For 2020

    To save you reading through the whole article, here are the most important headlines from the Plesk advisory:

    • Change /boot to read-only
    • Turn off IPv6 to boost Linux server security
    • GnuPG encryption for web host security
    Thanked by 1uzaysan
  • cazrzcazrz Member

    @uzaysan said:

    @rcy026 said:
    What services is the server running?

    MongoDB, Parse Server, Minio Storage and posibly NGinx. They are on same server now but in production I will seperate them

    Ah you should have included that info in your original post.

  • @Tr33n said:
    Just follow the advice of Plesk, they show brand new and previously unknown ways to secure servers. Linux Server Security – Best Practices For 2020

    To save you reading through the whole article, here are the most important headlines from the Plesk advisory:

    • Change /boot to read-only
    • Turn off IPv6 to boost Linux server security
    • GnuPG encryption for web host security

    Thanks I will check it out.

    @cazrz said:

    @uzaysan said:

    @rcy026 said:
    What services is the server running?

    MongoDB, Parse Server, Minio Storage and posibly NGinx. They are on same server now but in production I will seperate them

    Ah you should have included that info in your original post.

    Actually I was asking for general system security. But you are right. Security may change based on the application

  • JarryJarry Member

    @Tr33n said:
    To save you reading through the whole article, here are the most important headlines from the Plesk advisory:

    • Turn off IPv6 to boost Linux server security

    If you turn off IPv4 too, you will boost linux server security even more!
    LOL, what a bullsh*t...

  • DPDP Administrator, The Domain Guy

    By powering it off 😎

    Thanked by 1desperand
  • Don't forget a good fail2ban, as listed in the link provided by @kmmm

  • HostUpHostUp Member, Host Rep
    edited April 2020

    I made a tutorial about this quite a while ago where I listed fail2ban, https://hostup.org/blog/how-to-secure-a-ubuntu-linux-server-in-3-simple-steps/

    But really instead of using fail2ban, I would actually just use iptables.

    https://www.thatsgeeky.com/2011/02/escalating-consequences-with-iptables/

    It works great with repeating brute force attempts:

    Offence #1 30 min
    Offence #2 2 hrs
    ..
    Offence #5+ 1 mo

    If you are a hosting provider or simply running many vpses via OpenVZ 7 solusvm, for example, you can simply replace the INPUT with FORWARD like the following rules and it will apply for all forwarding ips so you don't need to add them in each VPS:

    https://pastebin.com/6tDcpPiv

    Pretty handy!

    Thanked by 1uzaysan
  • Tr33nTr33n Member

    Jarry said: If you turn off IPv4 too, you will boost linux server security even more!

    Yeah, that's right. Disabling IPv4, IPv6 and of course the upcoming IPv4+ protocol will be the best security measure (for him).

    However, depending on how he disable the protocols, there could be still dangerous traffic, such as ARP. For the ultimate security boost I recommend to simply disable the whole interface.

    Thanked by 2jsg dedotatedwam
  • For the ultimate security boost I recommend to simply disable the whole interface.

    Still, you’re vulnerable to attacks like side channel. Bury it in a thirty feet concrete structure

  • Since you wanted a general approach, read your official OS docs, you'll discover a lot about their recommendations on security. The Unix SysAdmin book is also a good resource. Once you've the essentials down. Go to each one of your software vendors docs and do the same, especially with network-facing ones. I.e DB security can go a long way if you disable network access. Sockets and peer with postgres, for instance.

  • momkinmomkin Member

    It easy to secure your server with only one command :smiley:
    shutdown -h now

  • @sdglhm said:

    Still, you’re vulnerable to attacks like side channel. Bury it in a thirty feet concrete structure

    Absolutely irresponsible. The lizard people down there will hack the sh*t out of you. NSA is also a fan of hardware mods, so better think about where you get your hardware from. An own wafer fab is the minimum.

    Seriously: It depends on what this server is used for and it's value to you or your project/company. Protecting Joe Plumbers website and setting up the latest crypto coin app or the new Wikileaks server are vastly different things. When it doesn't need to be public then don't make it public. Among the other things already mentioned here and considering something which is not just a 5$ worth of value. Use apparmor or selinux to harden your app. Seccomp filters. Hide services which don't need to be public to everyone in a tunnel. This includes ssh (gives away info on your OS). Choose wireguard for tunneling. Only run software on the server which the app requieres to run. If you run any kind of web facing app make it hard for someone to figure out what program and which version is used. Customize the programs on the server to only include the functionality you need, maybe compile them yourself.
    Try to pentest your server and see where it leaks. Document all the stuff you just setup. Backups!

    1. SSH key login
    2. Firewall
    3. Renew password every month
    4. Finally regular backups
Sign In or Register to comment.