Articles on: Linux server

Increase server security

This article has been written and tested on a server installed on Debian 9 & Ubuntu 18.04. This content should easily be applicable to other Linux-based OSes, but some settings may need to be changed.

The vast majority of our Linux servers (VPS or Dedicated Servers) are delivered "naked", that is, with a configuration very similar to what you would have had if you had installed the OS by yourself.

This basic configuration does not include any elements to ensure the security of the server. It is therefore strongly recommended to follow these few small rules to reinforce the security of your VPS.

You are the sole administrator of your VPS, and are therefore responsible for the actions performed on it. If your VPS is used by a third party without your knowledge (hack, password leakage, etc.) you may be held responsible for the actions performed by them. It is therefore essential to ensure the security of your VPS to avoid any abnormal use of it.

This article will voluntarily focus on protecting the root access of your VPS (which is the most vulnerable to its delivery, and most often attacked). Other aspects of the security of your VPS can also be explored (setting up a firewall, regular OS updates, regular log analysis, backup, etc).

1/ Enforce your root password



During delivery, if you did not define it yourself, your VPS is created with a random 6-character root password, to make it easier for you to access your VPS for the first time. This password, although random, is very weak (less than one hour of brute force is required to access your VPS). It is therefore imperative that you change it to another password, much longer.

Under the vast majority of Linux OSes, only one command (as root) is needed: "passwd root".

root@HelpDesk:~# passwd rootEnter new UNIX password:Retype new UNIX password:


The utility will ask you to enter the new root password you want to set up twice. When you type these passwords, nothing appears on the screen: This is normal. Linux, unlike Windows, does not display stars or characters when a password is entered in the terminal.

2/ Preventing BruteForce attacks



IP addresses of servers are very regularly the target of attacks by Brute Force. Even though usually a strong password is unbreakable (it would take centuries), setting up protection against BruteForce is very simple and only takes a few minutes and will further protect your VPS.

The basic protection against these attacks is provided using the "fail2ban" packet, which is able to monitor the logs of very many services of your VPS, and temporarily block IPs that appear regularly in these logs.

This packet is simply installed with the command "apt install fail2ban".

root@HelpDesk:~# apt install fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
fail2ban python3-pyinotify python3-systemd whois
0 upgraded, 4 newly installed, 0 to remove and 64 not upgraded.
Need to get 424 kB of archives.
After this operation, 1967 kB of additional disk space will be used.
Do you want to continue? [Y/n]


Once fail2ban is installed, all you have to do is configure it using the following command:

root@HelpDesk:~# printf "[ssh] \nenabled = true \nport = ssh \nfilter = sshd \naction = iptables[name=SSH, port=ssh, protocol=tcp] \nlogpath = /var/log/auth.log \nmaxretry = 3 \nbantime = 900\n" > /etc/fail2ban/jail.d/ssh.conf


This will automatically create the file "/etc/fail2ban/jail.d/ssh.conf", with the following content

[ssh]
enabled = true
port = ssh
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = 3
bantime = 900


This file is used to specify the location where the SSH service logs are located (/var/log/auth.log) by default, the number of attempts (maxretry=3) that an IP is allowed to perform within the detection time (10 minutes by default), and the duration of banning this IP from the server (bantime = 900 → 15 minutes)

All you have to do is restart the fail2ban service with the following command, and your brute-force protection will be active.

root@HelpDesk:~# service fail2ban restart


If you accidentally get blocked from your server, and you don't want to wait for the 15-minute delay, you can empty the list of banned IPs via the command "iptables -F". To do so, you will need to access the shell of your VPS via the console available on your control panel, then enter the root password of your VPS.

3/ Change the default SSH port



Changing the listening port of your SSH server will not protect you from targeted attack attempts (it is very easy for someone to find out on which port your SSH server is actually listening), but it will allow you to avoid attacks from bots/robots that crawl through the IPs of servers, looking for servers that are easy to hack.

To make this modification, you just have to modify the file /etc/ssh/sshd_config, and replace the line "Port 22", by "Port 8822". You can of course replace 8822 by any other port number that is not used on your server. Also check that there is no "#" in front of this line. If a # is present, remove it, otherwise this line will be ignored.

Then you just have to restart your ssh service via the command

root@HelpDesk:~# service ssh restart


After any changes on SSH, make sure to test your new configuration in a new console (keep the old console open). If for any reason your configuration was incorrect and you can't connect, the always open session in the first console will allow you to fix your error. Changing the SSH configuration does not affect sessions that are already open. Even if you stop the SSH service, the current sessions will remain open.

Updated on: 17/10/2022

Was this article helpful?

Share your feedback

Cancel

Thank you!