Archive

Posts Tagged ‘security’

Some quick steps to secure your VPS

August 10th, 2011 1 comment

This article describes standard Security Best Practices for Linux servers and provides basic instructions for securing a virtual private server against most common attacks.

User Accounts

  • Observe the Password Security recommendations for your root account
  • Create a user account for any trusted users who should have access to the VPS – do not share your root login
  • Eliminate unnecessary user accounts and disable shell access for daemons
    1. Run cat /etc/passwd and identify unnecessary user accounts
    2. Remove unnecessary users with userdel <username>
    3. Disable interactive logins for daemon accounts by specifying /bin/false for the user’s shell

SSH Configuration

  • Change the SSH port
    1. Open your sshd_config file for editing
    2. Locate the Port directive
    3. Change the default SSH port – any port above the 1-1024 range is preferable (check theInternet Assigned Numbers Authority site for unassigned port numbers if you want to ensure no conflicts are encountered)
    4. Restart SSH and connect to your VPS using the new port
  • Restrict SSH users and hosts in sshd_config
    • Use the PermitRootLogin no directive to disable root logins over SSH (if you have created a user account for yourself and plan to use su to administer your VPS)
    • Use the AllowUsers directive to specify which user accounts may be used to log in
  • Additional Recommendations
    • Limit SSH access to trusted IPs only (iptables example):
      1. -A INPUT -p tcp -m tcp --dport XXXX --source x.x.x.x -j ACCEPT (where XXXX is the port SSH is listening on and x.x.x.x is the trusted source IP)
      2. Prior to closing the established SSH session, test the SSH access rule: Create an additional SSH session from the trusted source IP. Test a non-trusted IP as well. If the non-trusted IP is unable to connect and the trusted IP is allowed, the rule is working as intended.
    • Use the DenyHosts script to block malicious users (if restricting access to a single trusted IP is not practical)
    • Configure your VPS to use public key authentication instead of password authentication

Additional Linux Security Resources

See the Security category for security guides on the VPSLink Wiki.

Linux Distribution Security

If you have an active interest in securing your VPS, you should follow up with recommendations specific to your distribution and recommendations for any daemons or applications which you use.

Security Applications

Applications geared toward security are an invaluable asset – consider installing an auditing tool and an intrusion detection system to automate monitoring and test your system’s configuration.

  • Bastille – Security auditing and configuration tool
  • Samhain – File integrity checker and intrusion detection system
  • SentryTools – A host-level security suite used to protect against port scans, automate log file auditing, and detect suspicious login activity

(Source: http://wiki.vpslink.com/Security_Best_Practices)

Categories: Máy tính Tags: , , , ,