Securing a fresh V-Server
Whenever you buy a new V-Server the first thing you want to do is to make it secure, to avoid being hacked immediately. Good hosters will already provide you with quite good standard configuration, but still there might be some room for improvement.
If the server does come only with a root account, i.e. without a dedicated user,
you should first add a standard user account. Options for the
command might vary depending on your needs.
useradd -m -s /bin/bash username
You do not have to specify a password, if you only want to login with SSH keys as we will configure in the following section. The user will still be able to login with SSH keys.
As for SSH, you should enable key based login and disable root login. For the key based login, you first have to upload your public ssh key to your server.
scp .ssh/id_rsa.pub user@host:
When you have uploaded the key, login to your host with ssh and append the
key to the
authorized_keys file. Then you can delete the public key file again.
echo id_rsa.pub >> .ssh/authorized_keys rm id_rsa.pub
Next, settings in the ssh config have to be adjusted. This is often found
/etc/ssh/sshd_config. Change this file and make sure that the following
settings are set to
PermitRootLogin no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no
Finally, you need to restart ssh for the changes to have effect.
Next, you probably want to setup a firewall to disable internet traffic when it is not required. This ensures that services running on your server cannot be reached even if you accidentally configured them wrongly to listen to the whole web. Such misconfiguration can easily happen and might publish your database to the whole world.
I like the program
iptables-persistent on my Debian server. It will reload
your iptables automatically on each reboot from the files
/etc/iptables/rules.v6 for IPv4 and IPv6
iptables-persistent and enable the service:
apt-get install iptables-persistent update-rc.d netfilter-persistent enable
I personally like to go with these standard settings and add more
rules like SSH as required.
*filter # Allow all loopback (lo0) traffic and reject traffic # to localhost that does not originate from lo0. -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT # Allow ping. -A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT # Allow SSH connections. -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT # Allow inbound traffic from established connections. # This includes ICMP error returns. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Reject all other inbound. -A INPUT -j REJECT # Reject all traffic forwarding. -A FORWARD -j REJECT COMMIT
And for IPv6 respectively:
*filter # Allow all loopback (lo0) traffic and reject traffic # to localhost that does not originate from lo0. -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -s ::1/128 -j REJECT # Allow ICMP -A INPUT -p icmpv6 -j ACCEPT # Allow SSH connections. -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT # Allow inbound traffic from established connections. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Reject all other inbound. -A INPUT -j REJECT # Reject all traffic forwarding. -A FORWARD -j REJECT COMMIT
With these settings, your server should already be a bit more secure. Of course, there are a lot more options available if you want to harden your server.I do not maintain a comments section. If you have any questions or comments regarding my posts, please do not hesitate to send me an e-mail to firstname.lastname@example.org.