Securing your public Linux server

I have a several virtual private servers (VPS) under "my command", all of them publicly available and open to the internet. Of course, I want to protect them from unwanted access, so I'm writing this as a reminder for future setups/installations. I use mostly CentOS 7 installed with minimal packages, but your OS and configuration may be different.

Assumption is are that root password is known. All passwords should be complex, as we will see later :)

First of all, create your own user and enable him ssh access:

useradd malipero
passwd malipero

Needlees to say is that you should try to avoid common usernames like "apache", "oracle", "postgres",...

Add newly created user to sudoers for easier later running privileged commands.

Assuming that you already have your RSA key, copy the public id_rsa.pub key to the server for passwordless ssh connect:

# from your local machine:
ssh-copy-id malipero@<servername>

Disable root access through ssh, disable password authentication and enable ssh for the new user:

sudo vi /etc/ssh/sshd_config
    PermitRootLogin no
    AllowUsers malipero
    PasswordAuthentication no
sudo systemctl restart sshd.service

Now is the good time to update all packages you have installed:

sudo yum update

Install firewall and check that the ssh access is enabled (should be by default).

sudo yum install firewalld

On public net interface the only allowed incoming ports should be ssh and of course if you're using server for something specific (like serving web pages) then corresponding ports. From my experience, ssh port should be changed to something else than 22 to avoid 50-500 of daily break-in attempts :)

To ban break-in attempts you can install fail2ban, which will use firewall to ban IP addresses from which abusive behavior is noticed.

# enable epel repository
sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm
sudo yum install fail2ban
sudo fail2ban-client start

Configure fail2ban by adding e-mail address and services to be watched:

cd /etc/fail2ban/
sudo cp jail.conf jail.local
sudo vi /etc/fail2ban/jail.local
    [DEFAULT]
    destemail = mymail@dot.com
    sender = fail2ban@<servername>
    action = %(action_mwl)s

    [sshd]
    enabled = true
    banaction = firewallcmd-new

    # etc...

sudo fail2ban-client reload
# eventually enable fail2ban service:
sudo systemctl enable fail2ban.service

Be careful to not ban yourself :)

To be sure and eventually be alerted when someone connects to your server, I made a simple script that alerts me through e-mail:

sudo vi /etc/profile.d/cust_login.sh
    #!/bin/bash
    date > /tmp/cust_login.txt
    netstat -a | grep ':ssh' | grep ESTABLISHED >> /tmp/cust_login.txt
    echo >> /tmp/cust_login.txt
    netstat -an | grep ':22' | grep ESTABLISHED >> /tmp/cust_login.txt
    mailx -s "$USER - login to $HOSTNAME" mymail@dot.com < /tmp/cust_login.txt
    rm /tmp/cust_login.txt

With logwatch you can also be alerted to what's happened to your server:

sudo yum install logwatch

Logwatch will by default send daily report to root user and the email can be forwarded to some external mail if you don't want to connect everyday and check root's mailbox.

For checking at unwanted rootkits or tools I usually install rkhunter, but as it seems a little bit outdated to me I'm planning to install lynis.

That's it from my notes, I'm opened to any suggestions that may improve security of any server, so please feel free to comment.