Wednesday, July 23, 2014

Security Tips for Administering a VPS



The internet is kind of like the wild west. Everything is fair game, there are seldom consequences to anything, and when it comes to sever security it's every man for himself (unless you pay someone to manage your server). Recently it seems that a lot of people are starting to buy their own vps (virtual private server), so there are going to be a lot of people looking for security solutions. Here is some advice I've gathered from my experience as a system administrator.

The golden rule of internet security is to keep a low profile. For example, don't leave port 22 open to the whole internet, even if you have ssh secured with a 4096 bit RSA key. In fact, don't use port 22 at all. Ever. It's like putting a sign on your server that says "hack me". When attackers scan the internet for targets, they use tools like nmap. Nmap by default scans the 1000 most commonly used ports. By avoiding using and filtering those ports you will save yourself a lot of trouble. Notice I said "filter" and not "close". When a port is closed, it sends a reply saying so when someone tries to access it. A filtered port does not acknowledge the request, so you can't be sure whether it's open or closed. It's a good idea to keep the default incoming policy to filtered, as is the standard setting on Linux UFW.

If you are running a web server you are probably going to want to use the default port 80 or 443 (https), so you want to make sure Apache, or whatever you are using is as secure as possible. One thing that I think is really important is to disable CGI if you are not using it. If you are running Debian/Ubuntu than that's as easy as commenting out the cgi bin alias in your main configuration.

#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#<Directory "/usr/lib/cgi-bin">
# AllowOverride None
# Options +ExecCGI -MultiViews
# Order allow,deny
# Allow from all
# </directory>

Doing this will prevent people from trying to execute arbitary code on your server. Another things that is cool and very secure is Openvpn. Set up an openvpn server and run it on a random high port like 61500. Use TLS authenification and strong key bit strengths. Then configure your firewall so that ssh or any other administrative/personal services are only accessible from the vpn netmask. This way in order to hack your server you would have to crack the vpn AND the ssh keys, quite a task even for a resourceful, seasoned hacker. Another bennifit here is that if you use UDP for your vpn and close all outside ports than chances are that nobody will ever find that one UDP port because UDP scanning is rare and takes forever. 99 out of 100 times it's TCP ports that they're looking for. Lastly, openvpn is really, really secure!
Of course this is just the tip of the iceberg, but these are some good tips. The good thing about linux is that it rarely will allow anything bad to happen without your consent. So, don't allow root login via ssh, for example. Log into another account, then log in to root if you need to. Close off every port that is not totally necessary for your server to operate. Think blackout zone over London... if they don't see us, they won't bomb us.

No comments:

Post a Comment