First Things First: Harden Security On Your New Linux VPS
Information security isn’t rocket science: the basics can be understood and easily followed by everyone. If you embark on using your own VPS for whatever goals you wish to achieve, making your server secure is primary task.
The best solution is to contact experts in this area. However, cost-efficient first steps can be performed by everyone. In the list below, I assume you are using CentOS (major version 6 or later), my OS of choice for many a hosting tasks. However, if you prefer other distributions, the difference will be only in package managers command lines and, in certain cases, in package names themselves.
I assume you can harness command line. VPSes are mostly chosen when inexpensive yet fully controlled environment is required. In such an environment, using graphical user interfaces is quite resource-consuming. If you chose the path of VPS user, you should know the basics. That includes mastering text editors such as vi or nano, or shells like Midnight Commander (mc).
If you use Linux on your home/work computer, you already have most tools at hand. If you use Windows, I recommend downloading PutTY set of utilities, reliable and free tools for connecting and passing data securely.
All set? Let us start.
Name Ye Password
Passwords, passphrases and whatever else they are called, are the primary tool of most security approaches. The first thing you should do after having received your first root password in welcome email is to change that password.
Important: when changing such passwords, make sure you keep at least one root ssh session active, otherwise you could run into problems if you make a mistake.
Commands like pwgen or mkpasswd are usually available in all major Linux distributions. Type
yum install pwgen -y
to have it available. After that, type something like
to have a good list of strong enough passwords 12 characters long. The advantage of pwgen is its passwords are in most cases not too hard to memorize. Whatever means of storing passwords you choose, make sure you don’t lose it. So, type
to change your root password. As advised, keep another terminal with root ssh connection active while doing that. Open another ssh connection and make sure you can log in with new password.
Use Keys to Authenticate
Key files authentication is an advanced step in still improving security. It makes even harder to gain unauthorized access to your VPS.
Unless you have that done already, start with generating RSA key. Under Linux, it looks like this:
ssh-keygen -b 2048 -t rsa
The program will ask about password (yes, another password), to guard your keys. My advice is to use password if you will use the key to log in to your VPS. Only if you need key to authenticate unattended operations (such as accessing from batch file – and great care should be taken in that case!), just press Enter twice when asked about password.
The above command will generate id_rsa and id_rsa.pub files in your .ssh directory. Important: this command should be run on the computer you use to connect to your VPS! Keep id_rsa well hidden from third parties.
Run the same command on your target VPS to create ~/.ssh folder with proper access credentials. After that, copy your own public RSA key (the below is run from your computer):
scp ~/.ssh/id_rsa.pub root@your-VPS-IP:~/.ssh/authorized_keys
and apply proper permissions (the below is run on VPS):
chmod 600 ~/.ssh/authorized_keys
Open another ssh connection. Key authentication is tried by default; you can explicitly require it (the below is run from your computer):
ssh -i ~/.ssh/id_rsa root@your-VPS-IP
Make sure the above authentication method works. When it works, time to change sshd configuration a bit. In /etc/ssh/sshd_config file find string containing parameters named below and set those to proposed values using your preferred text editor utility:
The above will only allow keys authentication (strictly speaking, it will disallow password authentication). That alone would save you from most security woes.
After you have corrected the lines, make sure you made no mistakes. Run
and if the above reports no errors, restart sshd service:
service sshd restart
The same precaution: always keep another active ssh session to your VPS when you change vital configuration such as above! Otherwise, you could lose access to your VPS and if its control panel can’t change root password, you’ll have to re-install it entirely.
Build the Wall
After we secured ssh connections, let’s block all unnecessary communication to your VPS. Install firewall configuration utility:
yum install system-config-firewall-tui -y
and run it.
You can safely accept defaults at the moment. When you are given the list of standard ports to keep open, I recommend leaving ssh port (TCP 22) only. When you need something else later, you can re-configure iptables with the same utility, or, if you prefer it that way, change /etc/sysconfig/iptables (and/or iptables6) file. Important: if you edit the above file manually, keep its backup copy before running the above configuration utility, as it will overwrite the files.
Configuring firewall is also a crucial moment. If you followed the advice above, just restart the iptables service:
service iptables restart
Now you have blocked all unnecesary communication to your VPS. Note: it will be probed and scanned from many locations, constantly, several minutes after it’s created. The sooner you harden your security, the better for you. Internet can be a dangerous place.
If I would list in all possible details of all the steps to harden security on your newly created Linux VPS, it would be a book. Assuming you are not banned by Google and/or other search engines, and not afraid of man and info commands, the following is the additional list of tasks to perform immediately and take care about, after you have performed the steps above. The numbers below do not reflect their priority, just make sure you do not leave any of the steps unattended.
1. Configure your firewall to restrict access to ssh only to trusted IPs of yours. Be careful! If you use dynamic IPs, avoid this step.
2. Install and configure malware and intrusion detection software, such as rkhunter, snort and aide. Install and configure logwatch. Set up local mail server (such as Postfix or Exim) to allow it to send you daily security digests from your VPS – believe me, this should not be avoided. Pay attention to those security digests: five minutes of browsing that daily email could save you from terrible troubles.
3. Study SELinux (if on CentOS/other Red Hat derivative) or AppArmor (if using Debian-type OS), or whatever built-in security enforcement system your distro has. Do not turn it off when possible; use at least permissive (or similar) mode to provide you with all notices about potentially dangerous activity on your server.
4. Install security updates for your VPS when necessary; especially if those relate to kernel and/or crucial OS components. To begin with, visit LinuxSecurity.com and look for its advisories. Stay informed and warned about possible security problems!
5. Do not log in as root. Create another account,create key authentication for it and make that account a sudoer. After that, use su command to perform root-level operations. Avoid using root itself wherever possible.
6. Install only the software you really need and avoid using software from untrusted sources. My advice is to install EPEL repository and take all required packages from repositories only. That way, you will avoid most dependencies problems and keep your VPS up-to-date and in working order.
7. Backup your data! If your provider allows creating entire VPS backups/snapshots, make use of that frequently – at least on weekly basis. If not, install software like backuppc and set it up to make sure configuration files and your data are always backed up. Make several backed up data copies on several locations, for better peace of mind.
8. Remain watchful. Whatever measures are taken, always be on guard, study security reports from your VPS software and pay attention to security advisories’ newsletters. Take action quickly if warned about critical vulnerabilities. That could save you quite a time, let alone your data, Web site or whatever you use your VPS for.
To Sum Up…
The above will not make you an information security expert by itself. However, if you wish to become one, the above utilities and links are good enough to begin with: you will find more relevant security-related resources and possibilities to learn while studying corresponding documentation.
Note that VPSes are the excellent means to learn Linux and study many aspects of its usage, including providing good enough security. If you can, create several VPSes and experiment on them (you only would need to re0install that “sandbox” VPS if something goes wrong.
Studying security can be fun, as well. Let it be both interesting and useful!