This article describes standard Security Best Practices for Linux servers and provides basic instructions for securing a virtual private server against most common attacks.
- Observe the Password Security recommendations for your root account
- Create a user account for any trusted users who should have access to the VPS - do not share your root login
- Eliminate unnecessary user accounts and disable shell access for daemons
- Run cat /etc/passwd and identify unnecessary user accounts
- Remove unnecessary users with userdel <username>
- Disable interactive logins for daemon accounts by specifying /bin/false for the user's shell
- Change the SSH port
- Open your sshd_config file for editing
- Locate the Port directive
- Change the default SSH port - any port above the 1-1024 range is preferable (check the Internet Assigned Numbers Authority site for unassigned port numbers if you want to ensure no conflicts are encountered)
- Restart SSH and connect to your VPS using the new port
- Restrict SSH users and hosts in sshd_config
- Use the PermitRootLogin no directive to disable root logins over SSH (if you have created a user account for yourself and plan to use su to administer your VPS)
- Use the AllowUsers directive to specify which user accounts may be used to log in
- Additional Recommendations
- Limit SSH access to trusted IPs only (iptables example):
- -A INPUT -p tcp -m tcp --dport XXXX --source x.x.x.x -j ACCEPT (where XXXX is the port SSH is listening on and x.x.x.x is the trusted source IP)
- Prior to closing the established SSH session, test the SSH access rule: Create an additional SSH session from the trusted source IP. Test a non-trusted IP as well. If the non-trusted IP is unable to connect and the trusted IP is allowed, the rule is working as intended.
- Use the DenyHosts script to block malicious users (if restricting access to a single trusted IP is not practical)
- Configure your VPS to use public key authentication instead of password authentication
Additional Linux Security Resources
See the Security category for security guides on the VPSLink Wiki.
Linux Distribution Security
If you have an active interest in securing your VPS, you should follow up with recommendations specific to your distribution and recommendations for any daemons or applications which you use.
Applications geared toward security are an invaluable asset - consider installing an auditing tool and an intrusion detection system to automate monitoring and test your system's configuration.
- Bastille - Security auditing and configuration tool
- Samhain - File integrity checker and intrusion detection system
- SentryTools - A host-level security suite used to protect against port scans, automate log file auditing, and detect suspicious login activity