New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
My Script basically does this, And alot more to secure servers, But only centos based at the moment, Considering making it for Ubuntu/Debian.
http://lowendtalk.com/discussion/20033/script-autosecure-for-cpanel-auto-harden-cpanel
I do the same on my home server (white list a few IP addresses or a range), but my VPS runs CSF with SSH open to everyone.
One thing I would recommend is using the AllowUsers directive when configuring sshd. Stops logging in as root dead in it's tracks even if you have PermitRootLogin set to yes and root isn't set in AllowUsers.
Why no CSF ? CSF is one of the best firewalls I have ever used...
I use it, love the country blocking, directory watch and the connection tracking
.
I have selected deny hosts as this app can share random attack data. You will block automatically all known bonnets, etc.
I have no preference in deny hosts or fail2ban
Booth are doing job great.
As for higher port it is enough move ssh to anything different than port 22.
It will harden things up.
Remember that this is only basic tutorial, and i am inviting everyone to extend it.
I use some additional measures:
1st: Allow access only to your country (can be changed to geoip city)
http://ts1-en.blogspot.com/2009/06/ssh-access-control-with-geoip.html
2nd: Email when someone login through ssh : http://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful
3rd:
Email when the VPS start/reboot
http://thepoch.com/tumblr/be-emailed-when-your-linux-server-starts-up-or-shuts.html
Note: for debian you must change the headers to:
TIL there's a $SSH_CONNECTION variable in bash.
https://library.linode.com/securing-your-server
I just disable password login & enforce fail2ban most of the time
CSF can do #1 and #2. You'd need to do #3 manually, or set up uptime monitoring if you want real metrics on the server.
Not everyone uses CSF ...
1, I think CSF block all ports. With host.deny/allow you can block by service.
2, I think LFD is the one who send email. I don't use LFD.
100% ssh security
/etc/init.d/dropbear stop
howto start ssh
reboot server
also
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
Drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)
IPT=/sbin/iptables
Max connection in seconds
SECONDS=100
Max connections per IP
BLOCKCOUNT=10
....
..
default action can be DROP or REJECT
DACTION="DROP"
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds
${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
----------Lignttpd: Limit All Connections
server.kbytes-per-second=1024
----------Set limit to 64 kbyte/s for each single connection per IP:
connection.kbytes-per-second=64
I can understand dropping traffic after a certain number of hits, but what purpose does it serve to remove all permissions from cc and gcc?
to disable compiler
For what? Why not to generate keys & allow only your country?
AFAIK - If someone has access to a user, they can generally bring along their own packaged compiler and use the existing libraries on the system
It's kinda pointless.
you need port knocking http://www.portknocking.org/
and fail2ban
Agree It's kinda pointless.
Fail2ban uses like 3MB on my VPS. It's worth it.
I imagine sshguard uses <1MB of RAM since it is coded in C. But it does not allow you to specify custom "attack signatures" i.e. custom regex patterns. You can do that with fail2ban.
Install apticron and unattended-upgrades. The former tells you when new updates are available and the latter does the upgrades automatically:
apt-get install apticron unattended-upgrades
Well, I will put all those together and make tutorial, how to build bulletproof unbreakable fortress of your LEB.
Just want to add my $.02. I posted this in an older thread.
I wrote a script to check that IPTables is running with the correct rules every 5 minutes. It has the following components:
1 Somewhere in your IPTables rules, add this:
-A INPUT -m comment --comment "CHECKME"
OR
-A INPUT -m recent --set --name CHECKME
2 Create a script
/root/check_iptables.sh
3 Create a cron job
/etc/cron.d/check_iptables
4 Create a script
/root/iptablesload.sh
5 Install Monit (e.g.
apt-get install monit
,yum install monit
), and modify its config file.Here's part of my
/etc/monit/monitrc
for your reference. This is for Ubuntu. More Monit examples are here:http://mmonit.com/wiki/Monit/ConfigurationExamples
And you are done.
For more IPTables security tips, check out my tech blog article. You can ignore the Asterisk section.
https://blog.ls20.com/securing-your-asterisk-voip-server-with-iptables/
The best is, the ssh login message works also when a provider enters into your container that would like this:
Sou you can tell them get the fuck out of my container
Some hosts do this (i would go away if i would be you).
BTW i used: http://www.crucialp.com/resources/tutorials/secure-server-securing/email-alert-root-ssh-login-e-mail.php with postfix and mailutils.