Securing a fresh V-Server

Whenever you buy a new V-Server the first thing you want to do is to make it secure, to avoid being hacked immediately. Good hosters will already provide you with quite good standard configuration, but still there might be some room for improvement.

User

If the server does come only with a root account, i.e. without a dedicated user, you should first add a standard user account. Options for the useradd command might vary depending on your needs.

useradd -m -s /bin/bash username

You do not have to specify a password, if you only want to login with SSH keys as we will configure in the following section. The user will still be able to login with SSH keys.

SSH

As for SSH, you should enable key based login and disable root login. For the key based login, you first have to upload your public ssh key to your server.

scp .ssh/id_rsa.pub user@host:

When you have uploaded the key, login to your host with ssh and append the key to the authorized_keys file. Then you can delete the public key file again.

echo id_rsa.pub >> .ssh/authorized_keys
rm id_rsa.pub

Next, settings in the ssh config have to be adjusted. This is often found under /etc/ssh/sshd_config. Change this file and make sure that the following settings are set to no.

PermitRootLogin no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Finally, you need to restart ssh for the changes to have effect.

iptables

Next, you probably want to setup a firewall to disable internet traffic when it is not required. This ensures that services running on your server cannot be reached even if you accidentally configured them wrongly to listen to the whole web. Such misconfiguration can easily happen and might publish your database to the whole world.

I like the program iptables-persistent on my Debian server. It will reload your iptables automatically on each reboot from the files /etc/iptables/rules.v4 and /etc/iptables/rules.v6 for IPv4 and IPv6 respectively.

So, install iptables-persistent and enable the service:

apt-get install iptables-persistent
update-rc.d netfilter-persistent enable

I personally like to go with these standard settings and add more ACCEPT rules like SSH as required.

*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Reject all other inbound.
-A INPUT -j REJECT

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

And for IPv6 respectively:

*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT

# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Reject all other inbound.
-A INPUT -j REJECT

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

With these settings, your server should already be a bit more secure. Of course, there are a lot more options available if you want to harden your server.