You can spend time on firewall security , cloud security, and more, but leaving the OS unprotected can be dangerous.
The network is migrating to the cloud from shared hosting, with many benefits.
- Faster response times as resources are not being used by other users
- Full control over the technology stack
- Full control over the operating system
- Budget
You gain more control over hosting your site in a cloud virtual machine, but it takes some sysadmin skills to manage your virtual machine.
Let’s move on to a practical guide to security Ubuntu and CentOS VM.
1. Changing the standard SSH port
By default SSH listens on port 22. This means that if someone finds your IP address, they can feed on connecting to your server.
They may not be able to get to your server if you are protected by a strong password. However, they can launch brute-force attacks to disrupt the server.
Your best bet is to change the SSH port to something else, so even if someone knows the IP address, they won’t be able to try to connect using the default SSH port.
Changing the SSH port on Ubuntu / CentOS is very easy.
- Log in to your virtual machine as superuser (sudo)
- Make a backup copy of sshd_config (/ etc / ssh / sshd_config)
- Open the file with the VI editor (editor of your choice)
vi /etc/ssh/sshd_config
- Look for the line that has the value Port 22 (usually at the beginning of the file)
# What ports, IPs and protocols we listen for
Port 22
- Replace 22 with another number (remember, as you will need it to connect). Let’s say 5000
Port 5000
- Save the file and restart SSH.
service sshd restart
Now you or anyone else will not be able to connect to your server through the default SSH port (22). Instead, you can use the new port to connect.
If you are using SSH client or Terminal on MAC, you can use -p
to define custom port.
ssh -p 5000 username@128.199.100.xxx
2. Protection against attacks of brute force (Brute-force)
One of the common mechanisms used by a hacker to gain control of your server is initiating brute-force attacks on the server and web platform like WordPress, Joomla, etc.
This can be dangerous if not taken seriously. There are two popular programs you can use to protect Linux against Brute-force.
SSH Guard
SSHGuard monitors running services from log files and blocks repeated failed login attempts.
It was originally intended to secure SSH login, but it now supports many more.
- Pure FTP, PRO FTP, VS FTP, FreeBSD FTP
- Exim
- Sendmail
- Dovecot
- Cucipop
- Uwimap
You can install SSHGuard using the following commands.
Ubuntu:
apt-get install SSHGuard
CentOS:
wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/hornos:/centos/CentOS_CentOS-6/x86_64/sshguard-1.5-7.1.x86_64.rpm
rpm -ivh sshguard-1.5-7.1.x86_64.rpm
fail2ban
Fail2Ban is another popular SSH security program. Fail2Ban automatically refreshes the rule iptables
if a failed login attempt reaches a certain threshold.
Install fail2ban:
Ubuntu:
apt-get install fail2ban
CentOS:
yum install epel-release
yum install fail2ban
SSH Guard and Fail2Ban should be enough to secure SSH login. However, if you need to know more, you can refer to the following services.
3. Disable password based authentication
If you are logging into the server from one or two computers, you can use SSH key based authentication.
However, if you have multiple users and often log in from multiple shared computers, key exchange can be problematic every time.
Therefore, depending on your situation, if you decide to disable password-based authentication, you can do it as follows.
Note : It is assumed that you have already configured SSH key exchange.
- Modify the / etc / ssh / sshd_config file using vi editor (editor of your choice)
- Add the following line or uncomment it if it exists
PasswordAuthentication no
- Reload SSH
4. Protection against DDoS attacks
DDoS (Distributed Denial of Service) can happen at any level and this is the last thing you want as a business owner.
Finding your original IP address is possible, and as a best practice, you should not expose your server’s IP address to the public internet. There are several ways to hide the Source IP to prevent DDoS on your server.
Use a load balancer (LB)
Implement an internet-facing load balancer so that the server’s IP address is not exposed to the network. There are many load balancers out there: Google Cloud LB, AWS ELB, Linode Nodebalancer, DO LB, etc.
Use CDN
CDN (Content Delivery Network) is one of the best ways to improve website performance and security.
When implementing a CDN, you set up a DNS record with an arbitrary IP address provided by the CDN provider. By doing this, you advertise the CDN provider’s IP address for your domain, and the source is not disclosed.
There are many CDN providers out there to speed up your site, protect against DDoS, WAF, and more.
So choose a CDN provider that provides performance and security.
Configure iptables settings
You can use iptables
to block suspicious requests, SYN, fake TCP flag, private subnet and more.
Use a firewall
If you provide a hardware firewall then great, otherwise you can use a software firewall that it uses iptables
to secure the incoming network connection to the VM.
There are many, but one of the most popular is UFW (Uncomplicated Firewall) for Ubuntu and FirewallD for CentOS .
5. Regular backups
Backup is your friend! When nothing else works, a backup will save you.
Things may not go this way, but what if you don’t have the necessary backup to restore? Most cloud or VPS providers offer backups for a small additional cost, and this should always be kept in mind.
Check with your VPS provider on how to enable the backup service. If you are using Google Compute Engine or AWS, schedule a daily snapshot.
A backup will allow you to quickly restore an entire virtual machine and get you back in business.
6. Regular updates
Keeping your virtual machine operating system up to date is one of the most important things to keep your server free from any of the latest security vulnerabilities.
On Ubuntu you can run to apt-get update
make sure the latest packages are installed.
On CentOS, you can use yum update
7. Don’t leave open ports
In other words, only allow the necessary ports.
Keeping unwanted ports open is desirable for an attacker. If you are just hosting your site on your virtual machine, then most likely you need port 80 (HTTP) or 443 (HTTPS).
If you are using AWS, you can create a security group to allow only the ports you need and bind them to the VM.
If you are using Google Cloud, allow the required ports using ” Firewall rules “.
Conclusion
The above should help you harden and secure your server for better protection against online threats.