Jump to content



Photo

[How To]: Protect Your Server

protect server security vps ddos brute force

  • Please log in to reply
No replies to this topic

#1 Andreas

Andreas

    Haphost Staff

  • Moderators
  • 283 posts
  • LocationGermany

Posted 19 December 2014 - 05:07 PM

Hello everyone,

 

in this little How To I want to show you how to protect your server against crackers and (D)DoS attacks.

 

Notice: Most of the shown methods require admin permissions, so make sure to run the commands as root or with sudo.

 

Using safe passwords

 

First of all you should consider to use safe passwords. It's best to use a combination of lower-case letters, upper-case letters, numbers and symbols. In addition your password should be as long as possible. Make sure your password is not connected with you, any family members, friends, pets or things you like.

Here is a little trick on how to remember a password easily:

 

First, you devise a phrase like:

 

"Nice, thanks to this little tutorial I can easily remember my hard-to-guess password with a length of 26 characters!"

Now you can form a password out of this sentence by combining every first character of every word and every symbol to a new phrase. In this case it would look like this:

"N,tttltIcermh-t-gpwalo26c!"

 

If you want to change the password of a user on your VPS you can do this by typing in this command into your console:

passwd NameOfUser

In the following you type in your new password twice.

 

 

Keeping your server up-to-date

 

Before you start editing configuration files you should update every package on your server to close potential security gaps. You can update your whole server with one simple command:

 

Debian & Ubuntu:

apt-get update && apt-get upgrade

CentOS:

yum update

You should consider to update the packages on your server once a week.

 

 

Prerequisites

 

You don't have to do this if you already have a text editor you like, but I recommend you to install nano because I find this one very easy to use. You can install this text editor by running the following command:
 

Debian & Ubuntu:

apt-get install nano

CentOS:

yum install nano

Creating separate users

 

You don't always need admin permissions to be able to work with your server. That's why you should create new users to separate your services on your server. You can create a new user by running this command:

useradd -m NameOfNewUser -s /bin/bash

Don't forget to create a password for this user with

passwd NameOfNewUser

On Debian & Ubuntu there is a more user friendly command you can run alternatively:

adduser NameOfNewUser

Deactivating direct root login via SSH

 

Don't worry! You still will be able to login as root with the command su.

 

To deactivate the direct root login via SSH you have to make some changes in the SSH configuration file. To do this, just type in the following command into the console:

nano /etc/ssh/sshd_config

Now navigate with your arrow keys on your keyboard to the line where it says

PermitRootLogin yes

and change it to

PermitRootLogin no

Now you just have to save your configuration file. In nano, press [CTRL] + [O] and then confirm with [ENTER]. To quit nano press [CTRL] + [X].

 

Finally you have to restart the SSH service in order to apply the changes:

/etc/init.d/ssh restart

Do make sure that you have created a second user with wich you can log in alternatively, otherwise you won't be able to access your server anymore!

 

 

Changing SSH port

 

To deactivate the direct root login via SSH you have to make some changes in the SSH configuration file. To do this, just type in the following command into the console:

nano /etc/ssh/sshd_config

Now navigate with your arrow keys on your keyboard to the line where it says

Port 22

and change it to whatever port you want your SSH service to run on. Make sure your stated port doesn't conflict with other services, otherwise you will have problems accessing your server via SSH.

 

Now you just have to save your configuration file. In nano, press [CTRL] + [O] and then confirm with [ENTER]. To quit nano press [CTRL] + [X].

 

Finally you have to restart the SSH service in order to apply the changes:

/etc/init.d/ssh restart

You can log in to your server with this command:

ssh user@host.tld -p 1234

1234 represents the port in this example.

 

 

Reducing maximal login attempts

 

To reduce the maximal login attempts you have to make some changes in the SSH configuration file. To do this, just type in the following command into the console:

nano /etc/ssh/sshd_config

Now navigate with your arrow keys on your keyboard to the line where it says

# Authentication:

Under this, search for a free line and write the following in the configuration file:

MaxAuthTries 2

In this example, the amount of maximal login attempts is two.

 

Now you just have to save your configuration file. In nano, press [CTRL] + [O] and then confirm with [ENTER]. To quit nano press [CTRL] + [X].

 

Finally you have to restart the SSH service in order to apply the changes:

/etc/init.d/ssh restart

Installing basic DDoS protection

 

Finally I recommend you to follow the installation instructions on http://deflate.medialayer.com. A lightweight bash shell script will be installed which protects you against DoS and weak DDoS attacks.

 

After the installation open the configuration file and edit necessary settings (for example whether you want to use iptables or Advanced Policy Firewall to block IPs):

nano /usr/local/ddos/ddos.conf

That's it! I hope this How To helped you making your server a little bit more secure against crackers and (D)DoS attacks.


  • vyjhala and Pete like this





Also tagged with one or more of these keywords: protect, server, security, vps, ddos, brute force

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users