Secure your Server like a Pro

Properly securing your server can go a long way in saving you a lot of time, money and headaches. Global statistics clearly suggest that cyber criminality is a fact of life now, creating billions of dollars in losses worldwide.

We at DataPacket do not take security lightly. In this article, we provide 9 useful tips for securing your server and fighting off the most common threats. No matter what business you’re in, we promise that following our advice is going to be worth it in the long run. 

Table of contents

  1. Keep your system up-to-date and back up your data
  2. Manage users and permissions
  3. Change your Default SSH Port
  4. Use SSH Keys for Authentication
  5. Configure the Fail2ban package
  6. Configure a Firewall
  7. Choose a provider with sophisticated DDoS protection
  8. Use a combination of measures
  9. Consider non-security risks as well

#1 Keep your system up-to-date and back up your data

Starting with the obvious, keeping your system up-to-date and backing up your data is the very least you can do in terms of securing your server. While this may seem like a no-brainer, you’d be surprised how many people neglect these simple precautions.

#2 Manage users and permissions

The root user is the first user created by default with most Linux installations. Root has unlimited privileges over the entire system and can run any command – including those capable of causing irreversible damage.

Using root for your day-to-day tasks poses a long-term risk. Since root is the default user on most Linux distributions, you’re already giving bots – or people, for that matter – half the information they need to hack into your system by brute-forcing your password.

There are two steps to reducing these risks. First, you need to create a new user with limited privileges. Second, you must disable root access via SSH.

Create a new user:

  1. Connect to your server as root via SSH.
  2. Create a new user by running the following command:
    adduser YourUserName
  3. The system will prompt you to enter a password and other credentials.
  4. Give the user you created privileges to use sudo. That way, you’ll be able to perform administrative tasks.
    usermod -aG sudo YourUserName
  5. Switch to the new user you’ve created.
    su YourUserName
  6. As the new user, make sure that you really have sudo privileges. You may be prompted to enter the password you previously created for the new user.
    sudo -l

    The output should be something like this:
    User YourUserName may run the following commands:
    (ALL : ALL) ALL

From now on, only log into your server using the new account. Remember that you’ll still be able to execute all critical administrative tasks using sudo, but without compromising on security.

Disable Root Access via SSH:
After you’ve created your own account with root privileges, go ahead and disable root access via SSH.

  1. Make sure you’re logged in as the new user you’ve created.
  2. To disable root login, you’ll need to edit the SSH configuration file. First, open it in an editor:
    sudo nano /etc/ssh/sshd_config
  3. Look for the following line:
    #PermitRootLogin prohibit-password

    And change it to:
    PermitRootLogin no

    Don’t forget to remove the hash symbol!
  4. Save the file and exit the editor.
  5. Restart the SSH service:
    sudo service ssh restart

And you’re done! That wasn’t so bad, was it? Preventing brute-force attacks is an essential part of securing your server. While hardening SSH access is a good place to start, there are other techniques worth considering as well, such as installing the Fail2ban package.

#3 Change your Default SSH Port

A simple SSH hardening tip is to change the default SSH port from 22 to something random, like 2946. Attackers often launch brute-force attacks against port 22 because that’s where SSH usually listens. By changing the default port, these breach attempts stop being an issue.

  1. Connect to your server via SSH. If you haven’t created a new user already, log in as root.
  2. Execute the following command:
    sudo nano /etc/ssh/sshd_config
  3. In the file that opens, find the following line:
    #Port 22
  4. Remove the # and change 22 to the port number you wish to use.
  5. Save the file and run the following command to restart the SSH service:
    sudo service sshd restart

Warning: Make sure the new port isn’t blocked or already in use. Also, please keep in mind that certain services may stop working if the default port is changed.

If you detect suspicious activity on a randomly chosen port, chances are that you’re being targeted by a more sophisticated attack. In case that happens, take additional measures as soon as possible.

#4 Use SSH Keys for Authentication

By default, SSH uses password authentication. Not only does that make your server vulnerable to brute force or dictionary attacks, but there are other drawbacks as well:

  • They’re often easy to guess. Did you know that passwords like 123456 or 111111 are still among the most widely used worldwide? Seriously, if 123456 is your password, go change it right now.
  • On the other hand, if you choose a password that is strong enough (think 4dCZ?dn%q@n&), you may not be able to remember it.
  • During the authentication process, the password needs to be transferred to the server, creating yet another vulnerability to potential eavesdroppers.

To limit your exposure, we recommend that you configure your server to use key authentication. As an added measure, you can also disable password-based logins.

Generate a key pair:

  1. Generate your key-pair by running the following command on your local machine:
    ssh-keygen -t rsa
  2. You’ll be prompted to enter a file in which you wish to store your private key. You can press enter here, saving the key into a default location.
  3. Choose a passphrase. You’ll need to enter it each time you use the key-pair. If you don’t wish to use a passphrase, just press enter again.

    If the output looks similar to this, you did everything right.
  4. Upload the public key on your server. After running the following command, you’ll be prompted to enter your password.
    ssh-copy-id_username@remote_host
  5. Log into your server with the following command. You’ll no longer need to enter your password.
    ssh username@remote_host

Disable password authentication (optional)

While keys are virtually impossible to crack by brute force, strong passwords provide a similar level of security. That being said, you might find yourself in a situation where disabling password authentication altogether is the best way to go.

  1. Connect to your server via SSH. If you haven’t created a new user already, log in as root.
  2. Open the SSH configuration file in an editor:
    sudo nano /etc/ssh/sshd_config
  3. Find the following line:
    #PasswordAuthentication yes

    And change it to:
    PasswordAuthentication no

    Don’t forget to remove the hash symbol!
  4. Save the file and run the following command to restart the SSH service:
    sudo service sshd restart
  5. Close the current SSH connection and try to log in again using a password:
    ssh -o PerferredAuthentications username@remote_host

    The output should be something like this:
    Permission denied (publickey).

Warning: Do not lose your public key. If you lose it, you’ll lock yourself out of your server.

#5 Configure the Fail2ban package

As suggested above, most bots trying to brute-force your password can be fought off by hardening your SSH access. That being said, thousands of unsuccessful attempts (sometimes per day) still increase server load, clutter up your logs, and are a nuisance in general.

Fail2ban monitors authentication logs for suspicious activities such as failed login attempts. After a pre-defined number of failures, the detected IP is blocked for a given duration. While this is an effective way of dealing with brute-force or dictionary attacks, it does not eliminate all security threats. Our recommendation is to use Fail2ban in combination with other lines of defense.

For more information on how to use this tool, please refer to the official documentation.

#6 Configure a Firewall

While there are several firewall utilities available out there, we fully recommend that you spare a moment to configure iptables – a free command-line firewall tool pre-installed by default in most Linux distributions. Iptables works by matching network traffic against a set of user-defined rules and deciding what to do next.

To give you a clear idea of what iptables can do, let’s list a few everyday scenarios:

          Block a specific IP address

          Filter out traffic from suspicious domains

          Deny traffic entering through a certain port

Being a complex and powerful tool, iptables also allows you to get a bit more creative with the rules you create:

          Block all outgoing SMTP mail

          Only allow MySQL connections from a specific network interface

          Block all SSH connections from a specific subnet

There are two approaches you can take when configuring a firewall:

  • Blacklisting – blocks packets that match your criteria
  • Whitelisting – blocks packets that don’t match your criteria

To learn more about iptables, please refer to the official documentation. 

Warning: If you’re new to iptables, we recommend that you first test your rules on a computer you have physical access to. Otherwise, If you’re not absolutely sure about what you’re doing, you risk locking yourself out of your server.

#7 Choose a provider with sophisticated DDoS protection

If your server suddenly becomes flooded with large amounts of fake traffic, you’ve fallen victim to a DDoS attack. The purpose of a DDoS attack is to waste your hardware resources, which usually results in slowing your server down, or worse, making it completely inaccessible by your customers, potentially costing you a lot of business.

DDoS protection quality varies by provider. We at DataPacket have been continuously building our own DDoS protection environment. Thanks to real-time toxic traffic detection and filtering, our customers have one less thing to worry about.

If you have any reason to think that you are likely to become a target of a DDoS attack, or if you simply adopt the protection is the best medicine approach, do not hesitate to contact our sales team.

#8 Use a combination of measures

Tempting as it might sound, there is no one-size-fits-all security strategy. If your goal is to reduce the attack surface to a bare minimum, make sure to use several lines of defence.

#9 Consider non-security risks as well

In terms of increasing the maximum potential uptime and reliability of your server, mitigation of security threats goes hand in hand with eliminating single points of failure (SPOFs). Be it a power supply, a hard drive or a network device, no component is perfect and failures do occur. That’s where high availability (HA) comes in.

If your business depends on 100% uptime, high availability setup should be mandatory, not optional. While individual solutions vary, each HA setup takes the following 3 components into consideration:

  1. Redundancy
    When a component fails, another one takes its place.
  2. Failure detection
    Regular monitoring needs to be in place to detect failures.
  3. Failover
    The actual process of switching to a back-up component upon failure.

Interested in a sophisticated HA solution? Let us know the specifics and we’ll deliver. Not our customer yet? No worries! You can order a trial server and we can take it from there.

 

 

Ondra Matousek
Account Manager

My role at DataPacket involves keeping our customers happy, engaged and educated. Having a lot to say, I often achieve that by writing tech blog posts, tutorials, newsletters and sundries. Did you know that the world’s first website is still alive and kicking?