Checklist to secure your VPS
#1
Let's start making a security checklist. Post reply to this thread and I will add it to the list. This list aims to provide easy access without reading all the subsequent posts. Things that are not essential but recommended will have 'optional' inside braces. Lists are grouped by categories. You may suggest a new category.


Category: Global (Includes SSH)
1. Disable Root Access and Use SSH Keys.
2. Use Sudo instead of Su.
3. Install and Use a Firewall.
4. Disable Unnecessary Services and Daemons.
5. Set automatic password expiration (optional).
6. Use IDS (optional).
7. Set up a cron job to update system.
8. Change default SSH Port.
9. Use One-time Passwords (optional).
10. Use Fail2ban or similar brute-force detection tools.

Category: FTP
1. Switch to sFTP (ssh ftp) unless you have a good reason not to.
2. Disable Anonymous Access unless needed.
3. Disable Root Login.
4. Chroot users to their home directory.
5. Change default FTP port.

Category: Network
1. Allow access to SSH and critical management services like Webmin from trusted IPs only.
2. Make a strict Firewall policy.
3. Drop packets instead of rejecting.(optional)
4. Enable syn cookies.
5. Rate limit network services like SSH.
6. Use public IP block list.

Category: Web services
1. Password-protect web-based login directory like 'wp-login'.
2. Avoid using nulled scripts.
3. Avoid unnecessary applications like phpMyAdmin which are detected by exploit scanners and a prominent target.
4. Use Suhosin Patch for PHP.

Category: Gameservers
1.

#2
Disable Root Logins:
Code:
Open /etc/ssh/sshd_config
Make sure you have
# Prevent root logins:
PermitRootLogin no
then restart apache.

Limit Login
Code:
AllowUsers test testing
then restart apache.

CSF Firewall:
Code:
Make sure you have perl.
yum install -y perl-libwww-perl

Download the source

cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -zxvf csf.tgz
cd csf
./install.sh

cleanup the files
rm -Rf /usr/local/src/csf* && cd

backup the original settings
cp /etc/csf/csf.conf /etc/csf/csf.conf.bak

edit currently configuration
nano -w /etc/csf/csf.conf


Password Aging
Code:
-m[days] Days between users can change password. If it is 0 then the password does not expire

-M[days] Specifies the maximum number of days for which the password is valid.

-d[days] Specifies the number of days since January 1, 1970 the password was changed.

-i[days]
Specifies the number of inactive days after the password expiration before locking the account.

-E[date]
Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.

-W[Days]
Specifies the number of days before the password expiration date to warn the user.

Disable anonymous access
Code:
Go to /etc/vsftpd/vsftpd.conf
Make sure you have
anonymous_enable=NO

This page is also helpful
http://wiki.centos.org/HowTos/OS_Protection Smile
Thank you ZXPlay and FreeVPS for my VPS 7
#3
Please don't post links. Post list items directly.
#4
Change the default SSH port to a different one:

CentOS/RHEL/Fedora/SL:

  1. Open sshd_config file with a editor like Nano or Vim:

    Terminal

    nano /etc/ssh/sshd_config

  2. Edit the following line and change the port to whatever you like:

    Terminal

    Port 22

  3. Save the file (CTRL + X, y and enter for Nano) and restart the sshd service to apply changes with the following command:

    Terminal

    service sshd restart

  4. You are done, now ssh serves another port than 22 and hackers will fail to break into your VPS unless the point when they found out what port you use.


Debian/Ubuntu:

  1. Open sshd_config file with a editor like Nano or Vim:

    Terminal

    sudo nano /etc/ssh/sshd_config

  2. Edit the following line and change the port to whatever you like:

    Terminal

    Port 22

  3. Save the file (CTRL + X, y and enter for Nano) and restart the sshd service to apply changes with the following command:

    Terminal

    sudo /etc/init.d/ssh restart

  4. You are done, now ssh serves another port than 22 and hackers will fail to break into your VPS unless the point when they found out what port you use.

It is the same on both. I think on Debian/Ubuntu the line with "port 22" is commented so remove the "#" infront of it to enable sshd to listen an the port you set.
#5
Don't forget that if you change the port of SSH away from 22, you have to open the port with iptables or else you'll be locked out, and you'll have to use the console that comes with SolusVM to open it.
#6
Indeed but so far on all the VPSs I had it always worked and I never had to touch iptables but it was running.
#7
(2012-05-28, 4:49:25 am)Nevil Wrote:  Indeed but so far on all the VPSs I had it always worked and I never had to touch iptables but it was running.
Because, it has been set to 'ACCEPT' as default policy.

Also, help me expand this list to include securing game-servers.
#8
What the FTP category should say:
(2012-05-27, 9:50:15 pm)aatish910 Wrote:  Category: FTP
1. Switch to sFTP (ssh ftp) unless you have a good reason not to.
2. Disable Anonymous Access unless needed.
3. Disable Root Login.
4. Chroot users to their home directory.
5. Change default FTP port.
#9
I just FTP to update wordpress so i only turn it on when i need to update
#10
I use Wine on my VPS. May it be a less secure step, but that's how I work.
Spam? What do you mean by spam? I need free host!
My personal Phrase

Can you sponsor me a Xen/KVM VPS?

[Image: img.php?v1=1&userid=6]
Working on my new project: http://lunarhost.nut.cc/ (soon to come: zPanel hosting and resellers, all for the lovely price of $0.00!!!!)
Hope this make OK to the signature rules!!!!
Thanks to https://www.host4fun.com for the lovely VPS4!




Users browsing this thread: 1 Guest(s)