Dejan Levec

Essential security tips for servers

In this tutorial you will find out some of the necessary steps to secure you VPS or dedicated server.

1. First thing you need to do is to change your root password. Connect to server with SSH and type:
[quote]passwd[/quote]
Then type in your new password, press enter, and retype it again.

2. It’s not safe to allow root user to login throught SSH. So you need to create a new user:
[quote]useradd user_name[/quote]
Then set the password for this user with:
[quote]passwd user_name[/quote]
3. Now let’s go to SSH settings.

Open file by typing:

nano /etc/ssh/sshd_config[/quote]
And find/change following:
[quote]PermitRootLogin no
X11Forwarding no
AllowUsers user_name
Port 10000

It’s important to change your SSH port to higher number (for example 10000).

4. Configure iptables:
[quote]iptables-save > /etc/iptables.rules
nano /etc/iptables.rules[/quote]
Example rules:
[quote]*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i ! lo -j DROP
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
#Change this port to SSH server’s port
-A INPUT -p tcp -m state –state NEW -m tcp –dport 10000 -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -j DROP

-A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7
-A INPUT -j REJECT –reject-with icmp-port-unreachable
-A FORWARD -j REJECT –reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT[/quote]
Be careful to change your SSH port to the one you set in sshd_config, otherwise you won’t be able to log in to SSH server.

Import rules to iptables:
[quote]iptables-restore < /etc/iptables.rules[/quote]
5. Set new iptables rules to reset during reboots:
[quote]sudo nano /etc/network/interfaces[/quote]
[quote]…
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.rules
…[/quote]
6. And now reload SSH server:
[quote]sudo /etc/init.d/ssh reload[/quote]
These are only essential steps to secure you server. Your server should now be a little bit more secure, but there is no such thing as 100% security.

Leave a Reply

Your email address will not be published. Required fields are marked *