VPS Security and Firewalls

[admin]

If you are new to using a VPS (Virtual Managed Server) would VPS security and hardening be of importance to you? Sure it would.

I have done a little digging around and found the following that are free of charge to beef up the security of a Linux VPS.

ConfigServer Security and Firewall
http://www.configserver.com/cp/csf.html


Advanced Policy Firewall (APF)
https://www.rfxn.com/projects/advanced-policy-firewall/


ModSecurity

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.

https://www.modsecurity.org


UncomplicatedFirewall (UCF)

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an adminstrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.

https://wiki.ubuntu.com/UncomplicatedFirewall
http://netfilter.org/


Lynis

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defences of their Linux/Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

https://cisofy.com/lynis/



Please feel free to add to this thread on your personal recommendations on how to secure your VPS.

 

[Genesis]

Great thread and post @"DJB" ! I've stickied it.

I'd say security is a million times more of a responsibility when one is managing a VPS than a shared hosting account. I had a very interesting recent experience. I was trying out DirectAdmin from an Admin point of view and for the heck of it got a VPS just for two months to see how the Admin Dashboard looks like. And here's the strange thing that happened. I got DDoSed even before I started to work on the VPS. Like the VPS came loaded with DirectAdmin and the moment I opened the Directadmin messages, I received loads of DDoS notifications.

So here's maybe something to add. To check out the IP that has been given to a person. Because there is a shortage of IPv4 IPs, they're getting recycled, and there may be a history with the IPv4 one doesn't know about. Also to get more up to date with IPv6, as one obviously stands a much greater chance, particularly in the foreseeable future to get clean IPv6's vs used IPv4's.

Also, one can beef up one's security in a million ways, but it will never compensate for being in the company of scammers and spammers. VPSs are viral out there on the Web. And there doesn't seem to be some authority who is checking out the thousands of scam links and offers. So I'd say security No. 1 would be to select your VPS host carefully. Gigarank would be tops in that department. The VPS I got here even with its low specs has been a GEM and kudos to our Admin for setting it up as well! :good:

 

[FlamesRunner]

I'd like to add port knocking - it is very useful in preventing people from even finding your SSH port.
Many tools are at users' reach, and the best way to know what works is to try it.

My last suggestion is security auditing, as those are crucial to having a secure server. I'm currently using AIDE (Advanced Intrusion Detection Environment) and I currently receive daily emails on what in my filesystem have changed.

You can find AIDE here: http://aide.sourceforge.net/

 

[fitkoh]

Another good idea is to use RSA keys for login rather than old fashioned passwords. In the end, it actually makes the login process much easier. You can disable password logins completely and make it very difficult for anyone to brute force hack their way in.

Another utility I like is fail2ban - an intrusion prevention system thats monitors your access logs for certain events and runs scripts accordingly.

 

[MikeGao]

I believe changing the default ssh port and the vnc port will also be helpful. And yes, a stronger password is needed. There are many people scanning ports and brute force password which is very annoying.

 

[catcher]

apt-get update; apt-get upgrade

apt-get -y --force-yes update?> /dev/null 2>&1?&&?apt-get -q -y --force-yes upgrade > /dev/null 2>&1

I am using this approach on Debian for a few years now and never had a problem with new updates - those always work fine.

Regards,
Tomas Tudja

 

[catcher]

If you have a web application built on a Linux VPS, it's a good idea to run a vulnerability scan against it. This way you can see if there is any security related issues with your web application and act accordingly (fix the system and web application code if necessary.

There is 2 very good web security scanners out there in the OpenSource community:

Vega
Skipfish

Both are very configurable and provide a test results write-up at the end of the test.

Regards,
catcher

 

[blunix]

To install automatic security upgrades (install normal ones by hand!)

apt-get install unattended-upgrades; dpkg-reconfigure unattended-upgrades (choose yes)

please dont fiddle stuff like this in your crontab. there are solutions for this

then undstand and install shorewall. and then fail2ban. that should do for starters.

 

[dtx0]

If you want more verbose tracking, an IDS can do wonders (e.g., Snort and Suricata). Whilst Snort has been around much longer, I made the switch to Suricata for a few of my test systems because of its multi-threaded design. If, however, you're limited to a single processor, then, Snort is a win-win. Note, though, that an IDS is not a panacea and can actually weaken one's system's security if improperly configured.

 

[GigaGreg]

I should have installed something on mine ages ago, but I'm not really worried, people could have DDoS'ed me, but they havent done it yet.

However, when I do something i.e playing around and reinstall os, everything deletes so installing this software when just playing around is optional and not needed, unless you settle down and make project that must be secure.

 

[nobodyspecial]

Nothing

 

[Genesis]

I personally like ConfigServer. It's user friendly. Fail2ban is also user friendly. ConfigServer is my preference though.

 

[nobodyspecial]

Nothing

 

[Genesis]

Will go look at ConfigServer

does it take out the fun of editing and reading the config files?

No. It just makes things much easier. And there's a free version as well.

 

[nobodyspecial]

Nothing

 

[nobodyspecial]

Nothing

 

[ckonline]

Hi there,

It depends on the level of security you need and what the purpose of the VPS might be.
For example, if it is for webhosting the situation is different as if would be for a Terminal Server or Virtual Desktop / Private Cloud.
IF it is for Private Cloud / Virtual Desktop, I would work with IP addresses. So, only from certain IP addresses the login would be accepted.
In regards to firewalls, I recommend pfsense. They have a free version which comes with everything you need. They even have a lot of additonal tools from third parties that can be installed.
Using different providers might also be helpful. Setting up the pfsense for example with Amazon, using the VPS with OVH or any other preferred supplier gives you already more options to avoid attacks.
All the other above mentioned tools are definitely worth it to check them out as well. I personally don't like automatically installed updates except for security updates. Reason for that is that you never know how buggy some updates might be. In other words you might get a problem for a system that was working without any issues before.

Best,
CK