I have a several virtual private servers (VPS) under "my command", all of them publicly available and open to the internet. Of course, I want to protect them from unwanted access, so I'm writing this as a reminder for future setups/installations. I use mostly CentOS 7 installed with minimal packages, but your OS and configuration may be different.
Assumption is are that root password is known. All passwords should be complex, as we will see later :)
First of all, create your own user and enable him ssh access:
useradd malipero
passwd malipero
Needlees to say is that you should try to avoid common usernames like "apache", "oracle", "postgres",...
Add newly created user to sudoers for easier later running privileged commands.
Assuming that you already have your RSA key, copy the public id_rsa.pub key to the server for passwordless ssh connect:
# from your local machine:
ssh-copy-id malipero@<servername>
Disable root access through ssh, disable password authentication and enable ssh for the new user:
sudo vi /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers malipero
PasswordAuthentication no
sudo systemctl restart sshd.service
Now is the good time to update all packages you have installed:
sudo yum update
Install firewall and check that the ssh access is enabled (should be by default).
sudo yum install firewalld
On public net interface the only allowed incoming ports should be ssh and of course if you're using server for something specific (like serving web pages) then corresponding ports. From my experience, ssh port should be changed to something else than 22 to avoid 50-500 of daily break-in attempts :)
To ban break-in attempts you can install fail2ban, which will use firewall to ban IP addresses from which abusive behavior is noticed.
# enable epel repository
sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm
sudo yum install fail2ban
sudo fail2ban-client start
Configure fail2ban by adding e-mail address and services to be watched:
cd /etc/fail2ban/
sudo cp jail.conf jail.local
sudo vi /etc/fail2ban/jail.local
[DEFAULT]
destemail = mymail@dot.com
sender = fail2ban@<servername>
action = %(action_mwl)s
[sshd]
enabled = true
banaction = firewallcmd-new
# etc...
sudo fail2ban-client reload
# eventually enable fail2ban service:
sudo systemctl enable fail2ban.service
Be careful to not ban yourself :)
To be sure and eventually be alerted when someone connects to your server, I made a simple script that alerts me through e-mail:
sudo vi /etc/profile.d/cust_login.sh
#!/bin/bash
date > /tmp/cust_login.txt
netstat -a | grep ':ssh' | grep ESTABLISHED >> /tmp/cust_login.txt
echo >> /tmp/cust_login.txt
netstat -an | grep ':22' | grep ESTABLISHED >> /tmp/cust_login.txt
mailx -s "$USER - login to $HOSTNAME" mymail@dot.com < /tmp/cust_login.txt
rm /tmp/cust_login.txt
With logwatch you can also be alerted to what's happened to your server:
sudo yum install logwatch
Logwatch will by default send daily report to root user and the email can be forwarded to some external mail if you don't want to connect everyday and check root's mailbox.
For checking at unwanted rootkits or tools I usually install rkhunter, but as it seems a little bit outdated to me I'm planning to install lynis.
That's it from my notes, I'm opened to any suggestions that may improve security of any server, so please feel free to comment.