: How Can I Secure A VPS Installation? What are the basic steps to securing a VPS installation that I plan to install Webmin on to host my blogs and personal projects?
What are the basic steps to securing a VPS installation that I plan to install Webmin on to host my blogs and personal projects?
More posts by @Berumen354
6 Comments
Sorted by latest first Latest Oldest Best
Just some points.
- Change your SSH port.
- disable directory listing of files.
- remove server signature, tokens.
- install some firewall
there are many more things..I just told things which came to my now..
Securing any machine, VPS included, isn't an exact recipe, but you can start out with the tutorials of 2 major VPS providers: Linode Library and Slicehost Articles
Remove unwanted services (netstat is your friend)
Disable service advertisement (revealing your version numbers is great for Scriptkiddies)
Change administrative (not public) port numbers to something obscure (SSH on 22 will just be continually scanned)
Work out your quotas and limits: cgroups, limits.conf, qos, etc - and actively monitor them - if a web developers code or a DDoS attack knocks down your site and makes your box unreachable it will be too late to fix
Some distros have SELinux/AppArmor/etc profiles for network based apps, use them
The first three can be performed through WebMin (in a fashion). You may want to look through ServerFault for this though.
danlefree's answer to this similar question is quite relevant here: How difficult is an unmanaged VPS?
Securing a server is more than just a one-off task.
Initial one-off tasks include:
Hardening SSHd (there are a number of tips and tutorials out there for this, this was the first good looking one that came up from a search.
Making sure unneeded services are turned off (or better, uninstalled).
Make sure that services that do not need to be publicly available are not. For instance configure your database server to only listen on local interfaces and/or add firewall rules to block external connection attempts.
Making sure that what-ever user(s) your web server processes (and other services) are running as have no read access to files/directories not relevant for them and no write to anything else unless they need write access to selected files/directories (to accept uploaded images for instance).
Setup a good automated backup routine to keep online backups (preferably on another server or at home) so your content is copied elsewhere so you can recover it should the worst happen to the server (complete unrecoverable crash, or being hacked)
Learn about all the tools that you have installed on your server (read documentation, perhaps install them on a test environment, say a local VM under virtualbox, to try out different configurations and break+fix them) so you have a chance of being able to fix issues if they occur (or at least properly diagnose such issues so you can help someone else fix the problem). You will thank yourself for the time spent on this at some point in the future!
Ongoing tasks include:
Making sure security updates for your base OS are applied in a timely manner. Tools like apticron can be used to keep you informed of updates that need to be applied. I would avoid setups that automatically apply updates - you want to review what is about to change before you run (in the case of debian/ubuntu) aptitude safe-upgrade, so you know what is about to be done to your server.
Make sure that updates to any libraries/apps/scripts you install manually (i.e. not from your distributions standard repositories using the built-in package management) are also installed in a timely manner. Such libs/apps/scripts may have their own mailing lists for announcement of updates, or you might just have to monitor their web sites regularly to keep yourself informed.
Keeping informed about security issues that need to be fixed by configuration changes rather than patched packages or that need to be worked around until a patched package is created+tested+released. Subscribe to any security related mailing lists run by the people who maintain your distribution, and keep an eye on technology sites that may also report such issues.
Managing some form of offline backup for extra paranoia. If you backup your server to a home machine, write a copy to CD/DVD/USB-stick on a regular basis.
Testing your backups occasionally, so you know they are working correctly. An untested backup is not a good backup. You don't want to have your server die and then find out that your data has not been properly backed up for some months.
All good Linux distros install into a reasonably secure state out-of-the-box (at least after the first set of updates when you pull in the security patches that have been released since the install CD/image was pressed/released) so the job is not difficult, but it will take more time to do well than you might expect.
The great thing about a linux VPS is they are pretty secure out of the box. My first recommendation though it to talk to your host and see if they will harden or optimize the security for you. Most VPS with a control panel (webmin, cpanel, etc) are "managed" and they will do a lot for you. Especially if you aren't quite sure what you are doing this is the best choice, in my opinion.
If you are on your own, first look at a firewall like APF (Advanced Policy Firewall?) or CSF (ConfigServer Firewall). CSF has the option of a login failure detection, and if you attempt to login and fail one too many times it auto bans your IP address. I'm not sure that these are "necessary" since linux doesn't respond on ports it isn't listening to for traffic anyway, but they certainly offer some piece of mind. And if you have a lot of ports open for a variety of traffic, then maybe yes you want a firewall.
Probably more important, is making sure the applications you install are up to date. More sites get hacked through a Wordpress exploit (for example) than they do through some exploit in the server OS. If you are custom coding scripts make sure you keep on eye on security as well, since you don't want to inadvertently leave an open door through something silly like your contact form.
I see that you mention webmin so will be a Linux box. Please check the documentation of the particular Linux distro that you'll install on that server.
For CentOS see this wiki.centos.org/HowTos/OS_Protection
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.