Securing your Linux VPS server
As a system administrator, you must ensure the safety of your Linux VPS in order to keep your information secured and server working smoothly, especially if the server is being used by more than one user and is accessible to public.
There are many different ways and options to secure your Linux server and what software and settings you should use. But the security strategy mostly depends on the software and services that are running on your server. This tutorial will guide you through the basics of how to increase the security of your Linux-based server.
The first thing you should do is to keep your server up-to-date. It is recommended to check for updates constantly and install latest security fixes, patches and etc.
The operating system can be updated using the update command:
Telnet and rlogin protocols use plain text instead of encrypted technology passwords. While communicating with server, it is recommended to use Secure Shell (SSH) protocol encrypted method.
You can use PuTTy SSH and Telnet software for SSH connections to your server. It can be downloaded here.
Secure your Shell and use SSH-key authentication method
You should generate SSH key and use it for communications to your server. The key can be generated using PuTTygen software, which can be downloaded from the same website as PuTTy.
More detailed tutorial on how to set up SSH key authentication can be found here.
Do not forget to make necessary changes in SSH configuration file – /etc/ssh/sshd_config:
Make sure that login by root is disabled:
It is recommended to disable login with a password. To do that you must change the following line in the SSH configuration file:
# Change to no to disable tunneled clear text passwords
Also it is recommended to change the port for SSH connections:
# What ports, IPs and protocols we listen for
Save the file and restart SSH daemon for the to take effect:
Force users to use strong passwords
If you still allow users on your server to connect via SSH protocol using passwords, it is recommended to force them to use strong passwords as weak ones might be hacked with a dictionary based or brute-force attacks.
For this purpose you must edit Pluggable Authentication Manager (PAM) configuration file, which is responsible for password policy.
Add the following line:
This line means:
retry – the count of attempts.
ucredit – value 1 means that the password must contain at least one upper case letter.
lcredit – value 1 means that the password must contain at least one lower case letter.
dcredit – value 1 means that the password must contain at least one number.
ocredit – value 2 means that the password must contain at least two symbols.
Restrict users from using old passwords
You can also increase the security of your server by restricting users from using old passwords. In order to do so, you must edit the same PAM file:
Add the following line to auth section:
Also, add the following line to password section to disallow the user from re-using last 5 passwords:
Now if the user tries to set a password which has already been set previously (up to 5 passwords), he will get the following message:
Password has been already used. Choose another.
Set password expiration date
Users on your server should not use the same password for long. As a system administrator, you can force users to change their passwords regularly.
The settings of a particular user password can be accessed by using chage command
Last password change : Sep 14, 2015
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
To change password aging settings of any user, you must use the following command:
You have set that the password for this user must be changed every 30 days, it can be changed after 7 days and user will be informed 7 days before.
M – Maximum number of days between password change.
m – Minimum number of days between password change.
w – Number of days until warning before password expires.
Many malicious attacks begin with ICMP or widely known as ping scan. Disabling your system response to ICMP echo requests prevents your system from being discovered by a ping request.
In order to disable ICMP and Broadcast requests you have to add the following lines to /etc/sysctl.conf:
Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Sysctl configuration must be reloaded afterwards:
Try to ping your server – it will not respond to ICMP requests anymore.
Iptables is a software used to set up, maintain and inspect the tables of IP packet filter rules in the Linux kernel. It allows you to set rules for filtering incoming, outgoing and forwarding packets.
There are four built-in targets – ACCEPT, DROP, QUEUE and RETURN, and two extended – REJECT and LOG.
ACCEPT – let the packet through.
DROP – drop the packet on the floor.
QUEUE – pass the packet to userspace
RETURN – stop traversing this chain and resume at the next rule in the previous (calling) chain.
REJECT – reject the packets and let the client to know that it was rejected.
LOG – log the information about specific connection.
Current iptables rules can be checked by typing
It is recommended to allow SSH connections only from safe IP addresses. The exception for safe IP address can be added by typing the following command:
And you have to restrict connections to the 22 port from all other IP addresses afterwards:
NOTE: If you are using a different port for SSH connections, do not forget to change the port in your rules.
The rules will reset after you reboot your server, however, you can save rules permanently with iptables-save command:
The tutorial on how to setup and configure iptables can be found here [link].
File Transfer Protocol or FTP is an insecure method for accessing your server because all authentications are sent in plain text format by default. It means that everyone who is monitoring the connection between you and your server can retrieve your password.
FTP can be securely used only if you are accessing read-only, anonymous or public FTP services or communicating between two servers that are not accessible for public.
For securing your connection it is recommended to use SFTP (FTP over SSH) or FTPS (FTP with SSL/TLS encryption).
Securing your server from brute force attacks is one of the most important actions to perform. There is a lot software which can protect your server from brute force attacks, however, we offer you to choose between the two most popular scripts – Fail2Ban and Config Server Firewall (CSF).
Fail2Ban is a daemon which scans log files, identifies IP addresses that show malicious signs, e.g. too many password failures, seeking for exploits and etc. Fail2Ban bans such IP addresses from accessing your server by creating iptables rules.
Fail2Ban is able to reduce the rate of incorrect authentication attempts, however, it cannot eliminate the risk that weak authentication presents. If you really want to protect services, configure services to use only two factors or public/private authentication mechanisms.
Fail2Ban can be installed by running the following command:
The configuration files of Fail2Ban are located in /etc/fail2ban/ directory.
The detailed tutorial on how to configure Fail2Ban can be found here [link].
Config Server Firewall
Config Server Firewall or CSF is an advanced firewall software which can be easily installed and configured on almost any Linux distribution. It provides a huge number of features and configuration settings and also has a graphic user interface (GUI) for the most popular web hosting management panels – WHM/cPanel, Webmin, DirectAdmin. Config Server Firewall also has a Login Failure Daemon (LFD) which scans for login failures and bans malicious IP addresses just like Fail2Ban does.
Login Failure Daemon (LFD) periodically scans login authentication failures for Courier imap, Dovecot, uw-imap, Kerio, OpenSSH, Pure-ftpd, vsftpd, Proftpd, Mod_security, Password protected web pages (htpasswd), Suhosin, Exim and other custom login failures with a separate log file and regular expression matching, and blocks malicious IP addresses.
It also tracks IMAP/POP3 logins and limits them to specific amount connections per hour, account or IP address.
Config Server Firewall can be easily installed on almost any Linux based operating systems by running the following commands:
rm -fv csf.tgz
tar -xzf csf.tgz
You should not run any other iptables configuration firewalls as soon as CSF is installed. If you previously used Advanced Policy Firewall (APF) or Bidirectional Forwarding Detection (BFD), there is a prepared script for the removal of these two firewalls:
Now you can test CSF compatibility with your operating system by running csftest:
Don’t worry if you cannot run all the features so long as the script doesn’t report any FATAL errors.
The detailed tutorial on how to install and configure CSF can be found here [link].
Scan for vulnerabilities and viruses
Infected files can cause a lot of problems for you. Exploits, Trojans, malware and malicious threats usually send malicious e-mail messages from your server, search for vulnerabilities and in result they cause damage for your server. Keeping your server virus-free is also a very important task. It is highly recommended to have an antivirus software on your server and constantly scan your files.
ClamAV is an open source anti-virus engine used in a variety of situations, including email scanning, web scanning and end point security. It provides a number of utilities, such as flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates.
ClamAV is compatible with the most popular Linux distributions and can be easily installed from repositories:
yum install –y epel-release
yum install –y clamav
NOTE: ClamAV installation on RHEL/CentOS requires Extra Packages for Enterprise Linux (EPEL) repository. That is why you have installed in the first place.
Before you can perform scanning of your server, you must download the latest database of viruses. It can be downloaded and updated with freshclam command. Type:
Now you can start scanning your server. The command clamscan is responsible for scanning. Let’s scan the whole server for the first time:
r – clamAV scans recursively.
i – it prints only infected files.
Type clamscan –help to see all available settings.
Rkhunter (root kit hunter) is a tool that scans for rootkits, backdoors and possible exploits. It compares SH-1 hashes of important files with well-known online databases, searching for default directories, bad permissions, hidden files, suspicious strings in kernel modules and etc.
Rkhunter can be installed from default repository on Ubuntu/Debian and RHEL 6/CentOS distributions:
You should update your Rkhunter databases after the installation:
Scan your server for exploits:
The results of every scan are logged in /var/log/rkhunter.log. You may check this file and fix vulnerabilities that were found. In order to avoid any interruptions in server’s daily work, it is recommended to scan your server regularly.
Although there are many different programs and security features for Linux based servers, very important vulnerabilities can exist when access is mistakenly granted by the system administrator – when incorrect file permissions for files and directories are set. As a system administrator you must find out a balance of what permissions you should grant for users and what are not necessary and can make the system vulnerable.
Permissions have three groups – owner, group and all users and three types – write, read and execute. File and folder permissions can be reviewed with ls –la command executed from SSH command line. As a system administrator you can set permissions for files and folders, manage data accessibility for owner, groups and all other users using just one command – chmod (change file mode).
You should never set 777 permissions to any file or folder as such permissions definitely make your server or account vulnerable, especially if your system is connected to the Internet. Also you should never set SUIG and SGID permissions unless you are absolutely sure what you are doing.
File and folder permission settings may vary based on your or your users’ needs, but in order to keep your system secure, you should always try to grant as less permissions as possible.
As you have already understood, securing your server is not an easy task. It also is not a one-time task – it is a continuous process that must be done almost every day. By now you should be aware of the basics about Linux server security – it’s up to you how you will implement these solutions on your system. Good luck!