Here are some very simple steps you can take to beef up security on your
VPS, in order to decrease your chances of getting hacked.
Part 1: SSH
There are two very critical things we need to do to SSH. SSH is like the drawbridge to your castle. You can make everything else as strong as you like, but if SSH is wide open, anyone can get in.
We're going to edit the SSHd config file, which is located at /etc/ssh/sshd_config
The two simplest things we can do to tighten security here is to change the port and protocol version.
Change the lines:
Code:
Port 22
Protocol 2, 1
To:
Code:
Port 222
Protocol 2
Please note that you can change the port to just about anything you like, let's just avoid staying on port 22.
Now save the file, and restart sshd.
For RedHat/CentOS VE's:
Code:
service sshd restart
Everyone else:
Making this one simple change will really throw a monkey wrench in the hackbot brute force tactic.
Part 2 (Optional):
The scanscript!
I use this one on my personal servers.
Code:
#!/bin/bash
rm -f ttt
touch tmp
# disabled IPs can be obtained from /etc/sysconfig/iptables
grep DROP /etc/sysconfig/iptables|awk '{print $5}' >tmp
# ------------------------ DoS attacks rule -------------------------
#identity mismatch in secure
grep Did /var/log/secure|awk '{print $12}' >>tmp
#Invalid user
grep "Invalid user" /var/log/secure|awk '{print $10}' >>tmp
# Maximum login
grep "Maximum login" /var/log/secure|awk '{print $7}'|sed 's/.*\[\(.*\)\])/\1/g' >>tmp
#
# ------------------ reduce redundant IPs from tmp file -------------
size=`/usr/bin/wc tmp|awk '{print $1}'`
i=0
while test $i -lt $size
do
us=`sed -n 1p tmp`
sed /$us/d tmp >tmps
echo $us >>ttt
cp -f tmps tmp
size=`/usr/bin/wc tmp|awk '{print $1}'`
done
rm -f tmp tmps temp0 temp
#
# ------------------ activate detected IPs --------------------------
size=`wc ttt|awk '{print $1}'`
size=`expr $size + 1`
/sbin/iptables -F
i=1
while test $i -lt $size
do
ip=`sed -n "$i"p ttt`
i=`expr $i + 1`
/sbin/iptables -A INPUT -s $ip -j DROP
done
# -----------------end of shell script-------------------------
This script goes into a file, lets call it scan.sh. Make this file executable:
Now we'll cron it to run every five minutes:
At the bottom, add a line like:
Code:
0-59/5 * * * * /root/scan.sh
(make this point at your actual script)
Basically what this does is, it scans your /var/log/secure logfile every 5 minutes, looking for failed logins, dictionary attacks, and some DoS attempts. If it finds any, it adds them to your iptables rules, effectively locking them out for good.
Part 3: /etc/passwd
Your /etc/passwd file tells your machine what users exist on your server, what groups they are in, and what shell they are to have access to when logging in.
In order to seal up another security hole, we're going to make sure only the user accounts YOU select can login via SSH at all. Open up your /etc/passwd in your favourite text editor.
Every line is going to look something like this:
Code:
root:x:0:0:root:/root:/bin/bash
This tells the machine what account it is, the userid, the groupid, and most importantly, the shell.
In this case, root gets /bin/bash.
Any user account you want to be able to login, should end with /bin/bash
Any other account should get /sbin/nologin.
This will give any potential hackers even less of a potential chance of breaking into your server.
Simple Strategies to Securing Your Server
Linear Mode
