The 6 Critical Steps To Secure Your Servers - SSD Nodes

10m ago
1.48 MB
27 Pages
Last View : 10m ago
Last Download : n/a
Upload by : Maxton Kershaw

The 6CriticalSteps toSecure YourServers

Security is a lie.Well, that’s an exaggeration. Let’s try again.Security gives back exactly what you put into it.Let’s put the threat in perspective. If you’re a developer working on a side project,hosting a blog, or even running your small business from a virtual private server VPS ,you’re unlikely to be targeted by the sophisticated attacks that cause the massive databreaches you might have heard about on the news.Unsurprisingly, the more popular you or your services are, the higher the risk. If you’rerunning a SaaS app with a hundred thousand users, your database is much morevaluable to hackers.But no matter how big you are, or how valuable your data, you need to be vigilant.Attackers are continually probing the entire internet for servers that they can easilycommandeer, whether that’s through misconfigured SSH, weak passwords, orsecurity bugs in server-side software. Once an attacker has access to your server, theymight use it to send spam, attack other services, mine cryptocurrencies, or spreadmalware with the computing power you pay for.Attackers look for easy targets, move quick, and leave a lot of damage in their wake.Aside from being an incredible inconvenience to you, having a compromised serverputs everything you’ve built at risk.The goal of this guide is to give you easy-to-follow, high-value strategies for protectingyour server. You should follow these steps when you first create an account with yourVPS hosting provider and whenever you provision a new server. These tips will workon most VPS-hosted servers running one of the popular variants of Linux, such asDebian, Ubuntu, Fedora, or CentOS.

This guide isn’t the destination on server security—it’s the beginning. There is muchmore you can do to protect your server from attack. But, by following these steps,you’ll become anything but an easy target. And, when it comes to security, there is nobetter first step than that.And that’s the truth.

ContentsImplement strong, unique passwordsWhat is a strong password?Why does uniqueness matter?How do I create strong, unique passwords?Dashboard/administration areaServer user accountsDatabasesTwo-factor authenticationUse SSH key authenticationEnable software firewallsiptables basicsFirewall strategiesExplicit allowExplicit denyBasic setup for an explicit allow strategyProtip Don’t get locked out!iptables persistenceAdditional resourcesLimit server-side application access to the internetOther applicationsUpdate, update, updateUbuntu/DebianAvoiding installations with deb/rpmOther softwareBlock intruders with fail banConfiguring fail ban9

Additional resourcesBeyond the steps to secure serversGuides/tutorialsOther areas of interest

Implementstrong, uniquepasswordsBefore we dive into VPS-specific strategies, we need to talk about cybersecurity at itsmost fundamental passwords.There are three ways for attackers to successfully acquire your password to anyservice they can make educated guesses based on what they learn about you as aperson your birthday, your favorite hobby, the name of your child , they can usecomputer programs that use brute force by trying millions of passwords until oneactually works, or they can download lists of common passwords in hope that you’rethe kind of person who uses passwordon every website.It should come as no surprise then that the more complex your password is, the moredifficult it will be to guess using any of two strategies. You want your passwords to beboth strong and unique .What is a strong password?Here at SSD Nodes, we have some general guidelines A minimum of charactersNo words you can find in a dictionary cat,password,tree

No words or numbers that reference personal information, such as a birthday orthe name of a childBoth upper and lowercase lettersAt least one symbol # ! % &Generally speaking, the more characters you use, and the moreWhy does uniqueness matter?You want to use a different password for every website. That way, if an attackermanages to figure out one of your passwords, they can’t then use that same passwordto access all your other accounts.The same policy goes for your virtual private servers. If you use the same password toaccess multiple servers, an attacker who discovers your password has access to notjust one server, but your entire infrastructure. And that’s really bad news.How do I create strong, unique passwords?Fortunately, creating strong, unique passwords is relatively easy these days.The best solution for most people is a password manager , such as B itWarden ,LastPass , or Password , among others. These programs store all of your passwords inan encrypted database that can be unlocked with a master password . Of course, thismaster password should be incredibly strong and unique, and one that you canremember. Once you have a password manager set up, they can generate entirelyrandom passwords for each of your services, and will automatically fill them into log informs on sites you visit. With a password manager, you only need to memorize yourmaster password, and any others will also be both strong and unique.Many people also create their own pattern or mnemonic device to create uniquepasswords on-the-fly that don’t need to be memorized. But, how you do that isentirely up to you.

Now that you can create new, secure passwords regularly, where do you need toimplement them?Dashboard/administration areaWhen provisioning a server for the first time, you want to make sure you start bysecuring your dashboard. This area likely contains billing and other personalinformation, and allows you to provision new servers or destroy existing ones, so youwant to ensure your account is protected from intruders.To change your password on the SSD Nodes dashboard, visit s .Once logged in, click on the user icon in the upper right-hand corner, and then click onthe Change password link in the dropdown that appears.

Once the page loads, you can enter your existing password for security , followed byyour new, strong, and unique password. We try to encourage the use of a gooddashboard password with a progress bar that gives you a rough estimate of howeffective your password will be at keeping attackers out.Once finished, you can click on Save changes . Awesome—your dashboard will now befar more secure! Just remember to save this new password in your manager.Server user accountsJust like a website, you connect to your VPS using usernames and passwords.Okay, not always, but more on that in a minute.

You want to ensure that any user account that you’ll use to connect to your server isprotected with a strong password. Every time you create a new user, we stronglyrecommend using strong passwords.The first time you connect to a newly-provisioned VPS, we recommend changing theroot password . This can be done easily with the pass d command—simply enter yourcurrent password followed by your new root password.DatabasesHackers will often probe for easy access to databases such as MySQL , which they canuse as an access point for the entire server. The root password to the entire databaseshould be strong and unique to that server. Later on, we’ll talk about limiting access tothe port that MySQL runs onentirely for an additional layer of security.However, a strong database password might prevent someone who has alreadyhacked into your server from quickly gaining access to your database.Two-factor authenticationTwo-factor authentication FA is becoming increasingly common among servicesthat retain sensitive personal information, such as bank accounts. When two-factorauthentication is enabled for an account, you need to not only input your password,but also another piece of information that proves you’re the real account owner.You might have experienced FA on a service like Facebook. If you’re logging in from anew laptop, for example, they may ask you to look at your phone—viola!—they’ve sentyou a text message with a -digit code. Once you enter that code, Facebook will letyou into your account. This is FA in action—by supplying both your password andproving you’re able to receive messages on a device you own, Facebook now has morereason to believe you are who you say you are.With FA enabled, an attacker needs to not only figure out your password, but alsotake control of your physical device. And that’s a much bigger problem.

SSD Nodes supports FA, and strongly recommends you enable FA for yourdashboard account. You can begin the setup process by clicking on your user icon inthe upper right-hand corner, and then clicking on Security settings .To learn more, visit our blog post on this very topic Tutorial Enabling Two-FactorAuthentication with SSD Nodes .

Use SSH keyauthenticationSecure Shell SSH is the primary way people connect to their servers. SSH is a secure,encrypted protocol on its own, but there is a way to make it even stronger SSHauthentication keys .Using authentication keys is similar to using FA on your SSD Nodesdashboard—instead of relying solely on passwords to log into your server, you’re usinga secret key that only you have. You can even password-protect these keys formaximum security.On your Linux or OS X machine, you can create an SSH key pair using the ssh-keytool. Follow the prompts to create your public/private key pair.enOn Windows machines, you can use P uTTY , our recommended tool for Windows userswho want to connect to their VPS.For SSH keys that you’ll use to log into your VPS and make administrative changes,install programs, or edit files, we highly recommend password-protecting this file. Youcan also opt to leave the key unprotected, which is more useful for tasks that need tobe completed without your intervention, such as automated backups.Once you create the key, you can copy the public key to your server. This will allow youto log into your server using the SSH key rather than your user password. It’s a farmore secure method of connecting to your VPS, as someone would have to steal yourSSH key to get in.

After you have SSH-based logins working, you can disable password-based logins foran additional layer of security against brute-force attacks. Before you do this, youwant to be sure your SSH-based authentication is working, and that the user has sudoaccess. You will then want to edit the / etc/sshd con i on your server so that both thePe mitRootLo in and P ass o dAuthentication lines are followed by n o , as in the followingPe mitRootLo in noPass o dAuthentication noYou’ll then want to restart the SSH server with the following command sudoesta t ssh .systemctlFor a more comprehensive look into SSH keys, how to set them up, and step-by-stepdirections of the entire process, visit our tutorial on the topic— Tutorial SSHauthentication setup and improved security .Once these steps are complete, your server will be significantly more resilient tointrusion by brute-force attackers.

Enable softwarefirewallsThe core of the Linux firewall system is a suite of tools called iptables —it’s highlyconfigurable, flexible, and remains the go-to solution for people wanting to protecttheir Linux servers from intrusion. iptables uses rules , which instruct the firewall onhow to respond to different incoming and outgoing traffic. Rules are highlyconfigurable, so covering all their options are beyond this guide, but we’ll cover thebasics.can be difficult for those new to Linux administration, so many distributionscome with a tool that helps make configuration easier—these are called wrappers . Forexample, Ubuntu comes with u , which offers a more user-friendly method of creatingfirewall rules. In CentOS, the default wrapper is i e alld .iptablesYou can choose to ignore the wrapper and use iptables directly or use the wrapperused by your particular distribution, but it’s not recommended to do both.iptables basicsshould be installed on your VPS by default. In order to see what rules might beapplied already, type sudo iptables -L into your terminal to print out the list of currentrules, if any.iptablesThe word list is essential, because rules order matters. The first rules you create willtake precedence over the following, so the order in which you create rules is critical.For example, let’s say your first rule denies all traffic, and your second rule opens port

for SSH traffic. When you try connecting to your VPS via SSH, you’ll be denied dueto the first rule. If you reverse the order, first allowing SSH traffic on portand thendenying all traffic, you will be able to connect via SSH while also restricting otherports.Firewall strategiesUnfortunately, there is no one firewall configuration that works for all needs. Instead,you should investigate what strategy might work best for you, and then reconfigure asneeded.There are two common strategies explicit allow and explicit deny .Explicit allowThis is the most common strategy, and likely the most secure. With this strategy, thedefault rule is to deny all traffic to your VPS, and then explicitly allow access for certainprograms/services.The negative of this strategy is that, if you’re new to firewalls, you’re much more likelyto lock yourself out of your VPS due to incorrect rules, or incorrect ordering of rules.For a good strategy to prevent lock-outs, check out our p ro tip on the next page.Explicit denyWhereas the explicit allow strategy denies all traffic by default, the explicit denystrategy allows all traffic by default, and then locks down certain ports that arevulnerable to attack.Explicit deny prevents the risk of lock-outs, and can be easier for those who needpractice creating rules for the first time, but is inherently less secure.

Basic setup for an explicit allow strategyWe won’t go into too many details about the syntax behind the following commands,but let’s set up a basic explicit allow firewall to allow SSH, HTTP, and HTTPStraffic—this will work for a majority of VPS uses.First, flush any existing rulessudo iptables -FThen, allow traffic on portsSSH ,sudo iptables -I INPUT -p tcp --dpo tsudo iptables -I INPUT -p tcp --dpo tsudo iptables -I INPUT -p tcp --dpo tHTTP , andHTTPS-j ACCEPT-j ACCEPT-j ACCEPTWe now have three rules at the beginning of our order. We can now create the finalrule to block all other trafficsudo iptables -P INPUT DROPProtip: Don’t get locked out!Unfortunately, it’s common for firewall beginners to lock themselves out of their VPSwhen creating new rules. In the worst-case scenario, you would need to reinstall youroperating system from the dashboard and begin again.To prevent a lockout, you can set up your VPS to restart iptables in a few minute’s timebefore setting any rules. This way, if you lock yourself out, you can wait a few minutesfor iptables to restart, thereby giving you a clean slate to try again.echo "sudo se ice iptables esta t" at no minutes

iptables persistenceBy default, iptables rules are temporary. If you restart for VPS, for example, any rulesyou set up will disappear. In order to make rules stick around, you need to save them.In CentOS, this is as simple as running the following commandsudo /etc/init.d/iptables sa eIn Ubuntu/Debian, you need to install the iptables-pesistent packagesudo apt- et install iptables-pe sistentAdditional resources iptables Linux firewall rules for a basic Web Server A secure, standard iptables rule-set for a basic HTTP s webserver iptables rules to help secure your Linux box Linux Server Hardening Security Tips [edition] Basic Guide on IPTables Linux Firewall Tips / Commands

Limit server-sideapplicationaccess to theinternetIf an application you’re running on your VPS doesn’t need to access the internet, youshouldn’t let it—that’s just smart security.Let’s use a MySQL database as an example. Let’s say you have a MySQL databaseconnected to your Wordpress blog. When someone visits your website and scopes outa few posts, they’re not accessing your MySQL database directly—the Wordpressapplication running on your VPS is actually is doing the work to pull information fromthe database and display it on the user interface.In this setup, the MySQL database does not need to connect to the entire internet, onlyto Wordpress. You should ensure the database refuses connections coming fromoutside the VPS itself.A simple way to do this is to edit the MySQL configuration file, which is either locatedin the /etc/mys l/ directory, or the /etc/ directory. The file itself is called . You’llwant to ensure that the bind-address setting points to what’s called the loopbacknetwork device—essentially, the server itself.

bind-add ess . . .Other users might want to take this a step further by uncommenting the option thatreads skip-networking.CommentedUncommented# skip-net o kinskip-net o kinThis change will prevent MySQL from listening for any TCP/IP connections, meaningall interaction with the database will have to be done via Unix sockets. Unless you areusing multiple servers that connect to each other a far more advanced configuration ,this is the recommended option.Firewalls are also an effective method of preventing access to a MySQL installation viatheport that it runs listens to for connections. It’s possible to r estrict theport directly , or r estrict access based on groups . If you use the recommended explicitallow firewall setup, portwill be blocked by default—and you should keep it thatway!Protip: Another excellent method of ensuring the overall security of your MySQLdatabase is to use a program included in your installation calledmys l secu e installation . This program will help improve your database’s security byensuring that root accounts have passwords secure ones , hopefully , removes rootaccounts that are accessible from outside the server itself, removes anonymous users,and more.The example above is just a quick look into the philosophy behind limiting server-sideapplications from accessing the internet. There are too many other examples topossibly cover them here.But, keep in mind this rule of them If an application or service doesn’t need to directlyaccess traffic from the internet, it shouldn’t be allowed to.

Update, update,updateNo matter what OS, software, and services you’re using on your new server, you wantto ensure that they’re always up-to-date. The developers behind Linux distributionsUbuntu, Debian, CentOS, and so on are constantly updating software to patch andmitigate security issues. Not upgrading regularly can leave your server vulnerable toknown, exploitable flaws. Luckily, most Linux distributions and all those availablethrough SSD Nodes come with a package manager that makes updates incrediblyeasy.Ubuntu/DebianFor Ubuntu/Debian, the updating process uses a tool called apt .sudo apt- et updatesudo apt- et up adeThe first command updates the list of available software, and the second downloadsand installs any new updates for software you currently have installed.CentOSOn recent versions of CentOS, you can use the yum tool instead.sudo yum update

After executing the command, you will need to agree to update the listed softwarepackages.Avoiding installations with deb/rpmIt can be tempting to use the tools behind these package management systems— deband pm , respectively—to install packages that might not be found within the systemitself. At SSD Nodes, we recommend against this practice, namely because packagesinstalled this way won’t be tracked or automatically updated. In addition, you cancreate dependency issues if you aren’t fully aware of the consequences of installing acertain package.As a rule of thumb, only install software with the appropriate package manager foryour system apt or yum .If you’re in critical need of a certain piece of software that isn’t available in thepackage management system, but want to avoid using deb / pm directly, you might beable to use a repository created by a developer. In Ubuntu, for example, these arecalled Personal Package Archives PPAs . Installing software from a PPA will ensurethat it’s tracked in the package management system and updated when new versionsbecome available, but Ubuntu developers warn that PPAs are a low-securityalternative to the main repositories.Other softwareIf you’re using your server to host a web application built on a platform that has itsown package manager—Node JS and npm , for example—you’ll want to make sure thatyou’re also keeping those packages up-to-date whenever possible. Each tool will haveits own method of updating packages, whether individually or globally. For example,with npm, you can globally update all installed packages with one command.npm update -

A general rule is that the larger and more popular a platform is, the more critical it is tobe timely with security updates. Wordpress, for example, has both a large codebasewith lots of dependencies and is extremely popular, leading to frequent securitypatches that hackers can take advantage of if you don’t update regularly.

Block intruderswith fail2banAs we’ve said before, hackers are regularly probing servers—even those that rely onSSH keys rather than passwords—in search of ways to get access. Obviously, strongpasswords and SSH key-based logins while also disabling password-based logins canhelp mitigate those issues, but it’s also possible to prevent hackers from even trying abrute force attack to begin with.Enter ail ban , which blocks would-be intruders from gaining access to your server viaa firewall. After a certain number of unsuccessful login attempts, that IP willautomatically be added to a blocklist in the firewall, preventing any further accessattempts.On Ubuntu or Debian, installing ail ban is quite easy.sudo apt- et install ail banOn CentOS, you need to install the EPEL repository before installing ail ban .sudo yum install epel- eleasesudo yum install ail banOnce installation completes, ail ban will be running, and your VPS will immediately bemore secure from automated tools that are trying to sneak their way in.Configuring fail2ban

You might want to want to edit the configuration file, which allows you to specify howmany failed attempts will lead to a ban, how long the ban should last, and so on. To dothat, copy the default configuration file to a new version that’s unique to your server,and then open it with your favorite editor, like n ano .sudo cp /etc/ ail ban/jail.con /etc/ ail ban/jail.localsudo nano /etc/ ail ban/jail.localOnce you’ve dialed in your configuration, just restart the fail ban service.Ubuntu/Debian sudo se ice ail ban estaCentOS sudo systemctl esta t ail bantAdditional resources http // // ban with FirewallDhttps // banhttps // ban-on-centos/

Beyond the 6steps to secureserversThis guide only covers six key steps for securing your new VPS—there are dozens, if nothundreds, more. Once you’re finished with this guide, your VPS will be far moreresilient to attack, but you can still take your security to the next level with additionalresources.Thanks so much for reading, and congratulations on your new VPS!Of course, if you haven’t invested in SSD Nodes yet,Guides/tutorials My First Minutes On A Server Or, Essential Security for Linux Servers How To Make Your Linux Server More Secure Basic sshd hardening Linux Server Hardening Security Tips Hardening Security Tips for Linux ServersFor the very brave, Red Hat has a comprehensive guide to security that can beadopted for other Linux variants.

Other areas of interest Turn off or uninstall unneeded services. Create unique user accounts for web server processes that have read access toonly the relevant files/directories. Restrict write access for web server users to all directories except whenexplicitly needed, such as for image uploads in Wordpress. Change your SSH port to something other than , and then block with yourfirewall. Enable automatic updates. Set up automated backups, and then test that they work!

What are youhosting for?SSD Nodes creates high-value cloudcomputing for developers who wantmake the web amazing.Why you'll love usGet way more for way lessSpeed, price, quality — pick all threeSave at least 600/year by switchingto SSD Nodes from high-pricedcompetition, and extend yoursavings with new three-year plans.Run e-commerce, web apps, hightraffic blogs, and so much more on aplatform built Intel Gold processors,SSD drives, and 10Gbps networks.An innovative dashboardA real human touchForget inane, half-functionalexperiences—our newly-refresheddashboard gives you power and putsin a pretty package to boot.We're a small bunch and we love whatwe do, which is why we offer industryleading guarantees, a 100% SLA, andcustomer service that works for

Enable software firewalls @ B iptables basics @ B Firewall strategies @ C Explicit allow @ C Explicit deny @ C Basic setup for an explicit allow strategy @ C Protip Don't get locked out! @ D iptables persistence @ D Additional resources @ E Limit server-side application access to the internet @ F Other applications @ G

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions

Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.

MARCH 1973/FIFTY CENTS o 1 u ar CC,, tonics INCLUDING Electronics World UNDERSTANDING NEW FM TUNER SPECS CRYSTALS FOR CB BUILD: 1;: .Á Low Cóst Digital Clock ','Thé Light.Probé *Stage Lighting for thé Amateur s. Po ROCK\ MUSIC AND NOISE POLLUTION HOW WE HEAR THE WAY WE DO TEST REPORTS: - Dynacó FM -51 . ti Whárfedale W60E Speaker System' .

Glossary of Social Security Terms (Vietnamese) Term. Thuật ngữ. Giải thích. Application for a Social Security Card. Đơn xin cấp Thẻ Social Security. Mẫu đơn quý vị cần điền để xin số Social Security hoặc thẻ thay thế. Baptismal Certificate. Giấy chứng nhận rửa tội