Simple server security tips you can implement today!
December 23, 2015
These simple server security tips I employ on each setup I do. I think it is safe to say that most system admins (at least experienced ones) would have dealt at some point with a hacked or rooted server, after all, if you’ve never had to deal with that you probably shouldn’t consider yourself a sys admin until then. To that end I’ve learned to tighten up my security protocol for pretty much all the servers I manage and I thought it would be a write up to share with you today.
WARNING: let me get this out of the way real quick, if you are just looking for copy / paste commands, please look elsewhere. You can (and likely will) LOCK yourself out of your own servers if you don’t properly implement the tips I am about to give you. You’ve been warned.
Here are 5 simple server security tips to get you started
Tip #1: Always change your default SSH port
Nowadays even non-sys admin know that 22 is the default ssh protocol. Seriously, don’t be lazy and adjust that to either a standarized port across your environment or a random one for each server. If you decide to go for a random port on each server, make sure you keep an up-to-date file with each server’s configured port.
Tip #2: Disable root login
Again, and I can’t stress this enough. Just about everyone out there knows that “root” is the server’s main account. Guard yourself from all brute force attempts that will try to login as root by simply creating a new user and adding it to wheel / sudoers group instead. The idea here is that you always login to the server with that user and when you need to run a command that requires elevated access you use “su” to switch to root as needed or sudo to run the command as root instead.
Tip #3: Use SSH Key’s authentication and disable password logins
You are going to get a gazillion brute force login regardless which you can deal with on your firewall, but that will be an ongoing thing. As a long term measurement you are better off disabling password login all together and rely on setting up SSH Key Pairs for your users instead. This is considerably more difficult to break.
Tip #4: Restrict your login users and IPs
This one is a bit tricky and perhaps does not apply to everyone, but if you are paranoid like I am, you can limit the IP that is allowed to login using a given SSH Key and / or even limit that user@ip combination in your SSH configuration file so that only the desired users / keys are able to login from an authorized IP address, then everything else is rejected.
Tip #5: Use a login server
Enhancing my tip #4, something I’ve used quite successfully is an interim login server. This is essentially a cheap VPS with a dedicated IP address where I’ve already setup all of my server login procedures. Because this VPS has a fixed IP address I am able to securely lock and restrict each of my servers to only allow login from that IP and only to specific users. Do note that it is always important to have a failsafe just in case something breaks down. For instance, you might forget to pay for your VPS, or the node where it is in crashes and upon recreation you are given a new IP address, etc. There are many scenarios where you can find yourself locked out for having a single point of failure, so as a safety net try to always have a safe point of entry to your server if your main method fails for whatever reason. This could be a different VPS hosted elsewhere or perhaps your own ISP given IP address (assuming it is fixed).
Do note that I am purposely not giving your commands above to achieve any of this. I’m purposely doing that to save your server from death by copy / paste. There is ample information on google on each of the subjects above so you should have no troubles at all implementing any of these as long as you understand what you are doing.
BTW, if you are looking for a cheap VPS for a login server or perhaps to host a new project, I can wholeheartedly recommend the folks at Server Mania. I will admit I was a bit skeptical when I first heard about them but I have now migrated several of my servers over to them and I am quite happy.
How do you secure your servers? Do you use any proprietary methods? Let me know in the comments bellow.