WebTech#3 - Server Security and Hardening
- Dec 05, 2008
Hello everyone, thanks for tuning in to my 3rd article in this series. Well, at this point we have MySQL and a Web server installed - but before we start serving anything on this server, we MUST secure it, let me repeat, this tuff is not optional if you're serious about your server, so lets take care of it!
This article will cover basic security in CentOS, from securing SSH to installing and configuring a basic firewall. Since your server/VPS is pretty bare when we activate it, it is important to implement security as soon as you can to avoid being compromised. You will learn how to restrict access to your VPS to a small number of selected individuals (or PCs) and design a very simple but effective firewall solution.
Once of the fundamentals of linux security is to never work with a root account to avoid having your password sniffed or keylogged while working from a remote location. For that reason, we will create a new user account that will be used to administrate your VPS. Lets start by creating such an account and calling it vpsadmin.
# adduser vpsadminAfter creating the user we have to give it a password and add some basic permissions to the account. By adding the user to the wheel group we are giving it some administrative rights.
# passwd vpsadmin
# usermod -a -G wheel vpsadminYou can now log in to your new account, but lets stay in root throughout the length of the article. Note that if you cant get a command to run for some reason (most likely because environmental variables haven't been set up for new user), you can always switch to root by giving the command
# su -We will not disable the root account, even though you should if you are really concerned about your security. Disabling the root account will require installing sudo and setting up some environmental variables, which will not be covered in this article. Now that we created the new account lets take a look at SSH and firewall security.
Let’s take a look at the default SSH configuration:
# nano /etc/ssh/sshd_config
We want to change the port SSH uses to an ambiguous, indistinct number. Look for the line that says ‘#Port 22’ and change it. Don't forget to take out the # symbol in front of the line. For example,
The next level of security to apply to SSH is to disallowing login by the root user. This way you will only be able to log in with your new user we just created. You’ll want to search for the “#PermitRootLogin yes” line and change it to deny root login attempts, as such:
Save the configuration file and restart the SSH service. Don't forget to change the port in your SSH client when you reconnect
# service ssh restart
You should now have a pretty tightened down machine when it comes to SSH, stopping most brute force crack attempts in their tracks. Let’s move on to the next topic.
If you run a website, blog, or any other type of service that opens your VPS to the internet it's a good idea to close off any services that may leave your VPS vulnerable. We'll be installing a free, lightweight firewall solution to address these issues. Download the latest version of APF:
Next, unzip and install it:
# tar -xvf apf-current.tar.gz
# cd apf-current.tar.gz
APF will now be installed to /etc/apf on CentOS. You can find the configuration file the firewall in /etc/apf/conf.apf. Now lets open and make some changes to match our SSH config.
# nano /etc/apf/conf.apf
First look for the line that says
Leaving this option as "1" will disable your firewall after 5 minutes, so make sure to change it to "0". Next, take a look at the allowed inbound ports. You should see something like
Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website. Next, take a look out outbound filtering. By default, APF will not filter outbound traffic but if would like to change that look for the following line
And change this value to "1". On the line directly below it you should see the allowed outbound ports
Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it
# chkconfig --add apf
# chkconfig --level 345 apf on
# service apf start
You might get kicked out of your VPS if you haven't relogged after changing the SSH config. Just log back in if you need to do any post-install stuff. Remember to use 'su -' if some of these commands aren't registering with the server. You should not have a pretty secure box ready face the dangers of the internet.We'll look at installing some Authoring software on the next post!