New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Do you Secure/Harden you Server?
Hey guys, just curious as of how many of you actually harden your server?
I have to admit I'm pretty lacking when it comes to securing my server, I use to install CSF with Webmin but lately I just disable password based logins to SSH and use Private Keys for authentication, that's about all..
In recent light of all the vulnerabilities, I'm interested in tightening up security for my server, it would be nice to know what most of you do to secure your server..
Comments
No, because I'm not a paranoid fuck.
I run all my servers with SSH open on port 22, root login enabled, and use the root account for everything on my VPS. I also transfer my SSL keys from a place to another by uploading them to Mediafire.
Come at me.
True spirit of Web 2.0!
@earl all "standard" (no root login, unstandard ssh port, whitelist, AllowUsers...)
Hmm.. Well if it works, more power to you!
But I on the other hand don't want to do that!! thanks..
This is one bad habit I can't get over..
-- just remembered that LEA use to mention he wrote his own script for securing his VPS.. wonder if anyone else does this?
Yes.
Depends on what you mean by hardening. I change the SSH port, disable password login, disable root login, remove all services i don't need and run the ones i need with different suer accounts. I guess as long as there isn't some remote code execution vulnerability in OpenSSH i'm fine
Care to share?
Yes generally I do the same thing, change SSH port, disable password login, remove services.. I'm getting the impression that this is what most people do..
I seem to have lost all my bookmarks but there use to be some great articles on WHT that went more in-depth to securing your server then the above I mentioned, there was also a site dedicated to hardening centos but can't seem to find it anymore..
This is most effective in keeping out the random scanners that have 0 concern about who their target is. This can also be achieved by blocking China Telecom's IP ranges. Little joke there, but obviously a degree of truth in it. Keeping out the automated scanner and brute force machines is easily done without doing those things as well. It's just most easily done by doing those things.
Now if you're being targeted by someone specifically with malicious intent toward you, this is where you need to consider your loose ends. You need to think about every potential point of failure and you need a plan for each one. You should know what to do as far as e-mail, passwords, facebook, etc. Don't get caught with your pants down. On the server side, set up trip wires everywhere. E-mail alerts for logins to any account. Fail2ban or LFD. Alerts for escalation. Do not have excessive drivers installed on the system. Just this last year we had an exploit in an nvidia driver. Don't assume you won't piss someone off either. The time to do this isn't after you learn that someone doesn't like you.
Above all else, have a backup plan for when everything fails and the worst happens. The worst failure for the hacker is when you see what they've done, take note of the devastation, then simply wipe the machine and be up and running again in a couple hours with new security measures to address their point of entry.
Yes, I'm paranoid.
Not if they're really out to to get you
Yes, I tend to change ports and disable root logins and use something like fail2ban.
I harden it a little.
@jarland
Hey thanks the input.. yeah changing the SSH port, disabling password login is probably one of the better things to do, it's really shocking when you look at your logs how many attempts there was, even when I had kloxo installed I would change the FTP port and that drastically reduced the amount of attempts..
I guess security is more on the boring side of having a VPS, but after recently being hacked it's really something to think about!
you maybe paranoid but it does not mean they're not out to get you!!
I have made some experiments in the past - create a VPS and leave it online with some really stupid password, like 1234, default ssh port. Then watch it and see how fast ot gets hacked. Took less than a day the last time i tried this.
I think I will try this I wish there was a firewall with a GUI of some sort would make it easier to use, I liked CSF but I need to install webmin for the GUI..
Ohh you do, do you!! Well let's keep our private lives private eh!
Which country took the prize?
@earl China
http://configserver.com/cp/csf.html
Use: https://ipaddress:8707
CSF has an often ignored standalone interface.
@earl fail2ban is REALLY easy to config, should be okay with it, but yeah it done through a text editor.
Haha.. I would have thought Russia but China a very close second
Oh I did forget one more thing you can do for preventive measure.
http://rules.emergingthreats.net/
Don't underestimate their ability to keep up to date lists. This can easily be an "opt out" for the big exploit of the day when those come around.
Use: https://ipaddress:8707
Interesting.. I will definitely give that another try.
Found this on Linode it does seem easy enough to setup
I do the basic security settings that i learned from linode's library
Yeah I'm noticing that Linode is just a wealth of info.
Yes fail2ban **is ** important if you have public services like ftp/email running. I even using it to secure my password protected web folders.
I do not have to care about any plugins to secure wordpress. If someone is using the wrong password to my htaccess protected wp-admin subfolder his ip is baned for 24 hours.
"login failed" in postfix, exim, lighttpd, ssh, etc logs -> fail2ban rules -> iptable rule for ip address.
And as @jarland says ... enable email notification. You never look into the logs on the time you should.
Yeah I think this is important, had I got an email I would have found out earlier that my account was comprised..
I just got lucky when I typed in my domain in Google there was a warning that this site may contain malicious content!! boy was I shocked!
just to add the sneaky little bugger used a free hostpolar account to access my server
I just disable password and root login, change ssh port and use ufw to configure the firewall.
If the server doesn't need to be serving web content, I disable apache, otherwise I just do the usual SSH disabled on public IPs, CSF, and other small tweaks. If the server runs essential content, then I'll spend more time checking through security on the server.
Disable root and password login, keep my versions up to date (php, lighttpd and such), run as little as needed (reduce attack vector) and sometime pentest myself or the apps I run.
Also iptables to only allow ssh from a few places, and ssh runs on another port. But that is just to reduce scanners in the log files.
And, central syslogging to a secure server.
Just want to add:
you can use iptables or host.deny/allow for all important port/services. always deny from all, except your own ip address or your ISP subnet.
Surprisingly not all vps provider enable iptables as default.
disallow root, change port number, disabling pass login,
ListenAddress to-specific-ip-address, rather than to all IP
AllowUsers - your trusted users
you can also chroot your trusted user for more control.
install fail2ban, this stuff can watch not only ssh, but other service as well.
disable unneeded ip, few times I found my client got hacked from ipv6, as they follow security tutorial for ipv4, but their vps is actually (as default) coming with huge amount of ipv6.
if you want to go into more detail, run security scanner/pen test, to your own server, and start from there
@rds100
on my experiment, I got various result from just few hours (indochina) to 1 month, depend on location & ISP/provider. but in general, fast connection is good for the user but also good for the attacker, well known provider usually targeted & you will get scanner from day 1.
if you interested, you can run honeypot with spare vps/hardware (I used ...pi) to get the latest trend on this kind of stuff.
Never knew that existed.. then gain I never really use ubuntu. thanks for the info.
I generally disable this too on the VPS's that I don't use..
Yup I normally do this when I log in.
I noticed that debian don't have iptables enabled by default where as centos does, I have locked myself out couple of times on centos cause I forgot about the iptables.