ruk·si

Server Security ABC

Updated at 2017-07-04 03:13

Bare minimum configuration to secure your own server. Nothing fancy here, just basic setup to do right after OS install.

Disable password login. Use SSH to manage your server, never a password.

# On your control machine.
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub | pbcopy      # copy to clipboard

# On the remote server.
touch ~/.ssh/authorized_keys
chmod 0700 ~/.ssh/authorized_keys
pbpaste > ~/.ssh/authorized_keys    # paste public key to the file
vim /etc/ssh/sshd_config
# => ChallengeResponseAuthentication no
# => PasswordAuthentication no
# => UsePAM no

# Then restart SSH daemon.
service sshd restart

Restrict port access on the software level. You might also change the SSH port from 22 to something else, but not necessary.

iptables -I INPUT 1 --dport 22 -j ACCEPT
iptables -I INPUT 2 --dport 80 -j ACCEPT

# the last entry should be to deny everything else
iptables -A INPUT -j DROP

service iptables save

Layer your web servers with reverse proxies for additional security. Use nginx to redirect 80 to other applications with higher port numbers. Then use htpasswd Apache tool to generate auth_basic_user_file configuration for the reverse proxy

Sources

  • Linux Magazine, June 2017