vps

WebTech#3 - Server Security and Hardening

cartab — Fri, 05 Dec 2008 22:52:18 +0000

Hello everyone, thanks for tuning in to my 3rd article in this series. Well, at this point we have MySQL and a Web server installed - but before we start serving anything on this server, we MUST secure it, let me repeat, this tuff is not optional if you're serious about your server, so lets take care of it!

This article will cover basic security in CentOS, from securing SSH to installing and configuring a basic firewall. Since your server/VPS is pretty bare when we activate it, it is important to implement security as soon as you can to avoid being compromised. You will learn how to restrict access to your VPS to a small number of selected individuals (or PCs) and design a very simple but effective firewall solution.

Once of the fundamentals of linux security is to never work with a root account to avoid having your password sniffed or keylogged while working from a remote location. For that reason, we will create a new user account that will be used to administrate your VPS. Lets start by creating such an account and calling it vpsadmin.

# adduser vpsadmin

After creating the user we have to give it a password and add some basic permissions to the account. By adding the user to the wheel group we are giving it some administrative rights.

# passwd vpsadmin

# usermod -a -G wheel vpsadmin

You can now log in to your new account, but lets stay in root throughout the length of the article. Note that if you cant get a command to run for some reason (most likely because environmental variables haven't been set up for new user), you can always switch to root by giving the command

# su -

We will not disable the root account, even though you should if you are really concerned about your security. Disabling the root account will require installing sudo and setting up some environmental variables, which will not be covered in this article. Now that we created the new account lets take a look at SSH and firewall security.

SSH

Let’s take a look at the default SSH configuration:

# nano /etc/ssh/sshd_config

We want to change the port SSH uses to an ambiguous, indistinct number. Look for the line that says ‘#Port 22’ and change it. Don't forget to take out the # symbol in front of the line. For example,

Port 12345

The next level of security to apply to SSH is to disallowing login by the root user. This way you will only be able to log in with your new user we just created. You’ll want to search for the “#PermitRootLogin yes” line and change it to deny root login attempts, as such:

PermitRootLogin no

Save the configuration file and restart the SSH service. Don't forget to change the port in your SSH client when you reconnect

# service ssh restart

You should now have a pretty tightened down machine when it comes to SSH, stopping most brute force crack attempts in their tracks. Let’s move on to the next topic.

Firewall (APF)

If you run a website, blog, or any other type of service that opens your VPS to the internet it's a good idea to close off any services that may leave your VPS vulnerable. We'll be installing a free, lightweight firewall solution to address these issues. Download the latest version of APF:

# wget http://www.r-fx.ca/downloads/apf-current.tar.gz

Next, unzip and install it:

# tar -xvf apf-current.tar.gz

# cd apf-current.tar.gz

# ./install.sh

APF will now be installed to /etc/apf on CentOS. You can find the configuration file the firewall in /etc/apf/conf.apf. Now lets open and make some changes to match our SSH config.

# nano /etc/apf/conf.apf

First look for the line that says

DEVEL_MODE="1"

Leaving this option as "1" will disable your firewall after 5 minutes, so make sure to change it to "0". Next, take a look at the allowed inbound ports. You should see something like

IG_TCP_CPORTS="22,80,443"

Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website. Next, take a look out outbound filtering. By default, APF will not filter outbound traffic but if would like to change that look for the following line

EGF="0"

And change this value to "1". On the line directly below it you should see the allowed outbound ports

EG_TCP_CPORTS="21,25,80,443"

Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it

# chkconfig --add apf

# chkconfig --level 345 apf on

# service apf start

You might get kicked out of your VPS if you haven't relogged after changing the SSH config. Just log back in if you need to do any post-install stuff. Remember to use 'su -' if some of these commands aren't registering with the server. You should not have a pretty secure box ready face the dangers of the internet.

We'll look at installing some Authoring software on the next post!

About the author

Carlos Taborda, is Founder and CEO of Webbynode a Hosting Provider for Developers, and StackFu a Social Hub for Server Stacks.

You can follow me on Twitter @cartab.

WebTech #1 Introduction to servers

cartab — Thu, 20 Nov 2008 17:37:14 +0000

Hello everyone, this post will be a very basic introduction, as a lot of designers are new to the world of servers. In my tutorials, I will use a VPS as my platform, however you can use the same commands for a dedicated server. Also, we assume you know what Linux, Apache, PHP, MySQL, and such names are.

Whats a VPS anyways?

def: A VPS a method of partitioning a physical server computer into multiple servers such that each has the appearance and capabilities of running on its own dedicated machine. (wikipedia)

So basically, a VPS is a ‘division’ of a bigger server, and it fits as a great solution for designers and developers because of the cost involved in such a service. However, a VPS is the next step from entry level-’shared’ hosting and expensive dedicated servers.

Accessing your VPS

From Windows:

Once you have ordered a VPS and your OS is installed, you need to connect to your server. You will have at least 1 IP address for your server, and SSH is enabled by default. SSH is a secure connection system that basically gives you a command line on your server.

Firstly, we need to download PuTTY from their website - Once done, double click on the downloaded putty.exe:

In the Host Name enter the IP address of your VPS, port 22 is the default port, unless you change it for security - we’ll talk about security later.

From Mac or Linux

From Mac you need to open your terminal (also in linux). In mac you can find it under Finder -> Application -> Utilities -> Terminal. Once you’re running it is should look like this:

Then type at the prompt

ssh root@10.10.x.x (replace the 10.10.x.x with you IP & use your password on the prompt)

Account Management

Ok, you're now connected to your VPS. Let’s begin by setting up a few basics. Once you’re logged in, immediately change your root password.

# passwd

As you may know, for security reasons it’s not recommended to log in to your VPS using the root account. We only logged in with root this one time to do the initial setup. With that in mind, let’s create a user we will be using instead of root from now on. Choose your own name instead of poweruser.

# adduser poweruser

Now we must give the poweruser account some administrative rights. Before we can do that though, it may be necessary to install sudo onto your VPS.

# apt-get install sudo

Sudo stands for super user do and it enables a regular user such as poweruser to run administrative tasks that would typically be available only to root. To enable sudo for the new user, let’s look at the /etc/sudoers file and give our new user super user privileges.

# nano /etc/sudoers

Add to the end of file:

poweruser ALL=(ALL) ALL

You should now be able to log in with your new account and use sudo to perform administrative tasks. When you run a command using sudo, you will be asked for the root password.

Updating the base system

We are now ready to update our VPS. Let’s start by updating the list of packages available to us.

# sudo apt-get update

Updating works by looking at a list of repositories located in /etc/apt/sources.list. If you plan to install 3^rd-party or non-standard software, you may wish to edit your sources.list with your favorite editor (I use nano).

# sudo nano /etc/apt/sources.list

To install the latest security updates and bug fixes, type the full upgrade commands:

# sudo apt-get upgrade

# sudo apt-get dist-upgrade

After the first command you may be asked to set your timezone. If you are not you may now set it manually for your home location.

# sudo ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime

This creates a symbolic link from /etc/localtime to a file in /usr/share/zoneinfo corresponding with what zone you are in. Have a look in the directories under /usr/share/zoneinfo to see what timezones are available.

Resource Checks

Before we finish, we’ll run several system utilities to verify the resources on your VPS. Start by looking at the memory usage.

# free –m

You should see a table reporting your memory usage. Focus your attention on the second line, starting with -/+ buffers/cache. Under the used column, you will see how much memory applications on your VPS use. Above that you might see a higher number, but this is because it reports memory already used for buffers and cached. A more powerful command, top, shows how much processing power and memory is being used and for which running processes.

# top –bn 1

This will run top in batch mode with one iteration, so that you get a nice and clean output of everything running. Keep in mind that running top with the -bn switches is like taking a snapshot, while running it without them would provide you an ongoing look at processor activity in real-time.

Next, let’s take a look at disk usage:

# df

Df simply shows the amount of total and available disk space on a file system.

Well, now your system is up to date, you have a new user account that can perform administrative tasks, and you are aware of the resources in your working environment. Whatever your choose to use it for, you should now be aware of how to take your VPS from a barebones system to something with a little more meat on it.

At this point, we have covered alot of ground for your first server exploration day! Make sure to keep an eye on Abduzeedo, as we will be releasing the next Article on How to Setup Apache (webserver), PHP and MySQL! so you can start serving your websites.

About the author

Carlos Taborda, is Founder and CEO of Webbynode a Hosting Provider for Developers, and StackFu a Social Hub for Server Stacks.

You can follow me on Twitter @cartab.

vps

WebTech#3 - Server Security and Hardening

About the author

Sponsored Links:

WebTech #1 Introduction to servers

Whats a VPS anyways?

Accessing your VPS

From Windows:

From Mac or Linux

Account Management

Updating the base system

Resource Checks

About the author

Sponsored Links: