• Cloud and VPS Servers Security guidelines

    From StackFault@700:100/33 to All on Sat Jan 12 20:20:45 2019
    Hi!

    I wanted to start a thread regarding VPS and smaller cloud-based servers hardening practices and security best practices.

    I would like anyone to contribute with step and or configuration based on
    their own experience to enhance this and hopefully make it better.

    Here are the basic steps I do when I setup a VPS hosted directly on the Internet, with no other network security devices in place. Since the
    specifics of each requirements can change, this will only covers the basic server setup.

    1. Install a recent, proven and supported distro.
    2. Disable any unneeded services and verify which ports are open using the
    various commands (netstat, ss, etc).
    3. Create a regular user and add it to sudoers, do not use root for your daily
    use and use sudo for privileged commands.
    4. Generate an SSH keypair and add the public key in
    ~/.ssh/authorized_keys and set permissions to 400 (r--------)
    5. Test you can connect using your SSH key.
    6. Harden your SSH configuration by increasing the server key size, disabling
    weak ciphers, weak hashing algorithms and password authentication.
    7. You may also want to change the SSH port to reduce the amount of
    neverending port scanning logs entries. Changing the port won't increase
    security.
    8. Install and configure fail2ban to blacklist users with too many bad
    passwords (won't affect you, you use an SSH key remember?!).
    9. Install and configure ufw. You can then only open the services you want
    accessible and define authorized sources. No complex iptables knowledge
    required. Don't forget to enable it after it's configuration.
    10.Bind as many services to the loopback interface, if not needed, don't open
    it.
    11.Use SSH tunnelling for your administration tasks like managing a database
    or accessing a service running locally on the server the public don't need
    to access. Don't expose services not required to be publicly accessible. 12.Install and configure logrotate to make sure your logs are rotated,
    compressed and removed after a defined period. Avoiding high storage usage. 13.If you install a web service, secure it with Let's Encrypt using certbot
    and test your configuration against SSL Labs' testing service. Get the
    highest score you can get while keeping device compatibility.
    14.Validate your network exposure remotely on a frequent basis.
    15.Ensure proper security banners, proper audit configuration and logging is
    in place.
    16.Set proper email to your server can email you it's notifications. Most
    distro will send emails to root for issues, make an alias to your email to
    you get them in a central place. You will most likely have to replace the
    mailer for something capable of sending Internet mail like postfix.
    17.Get an outsider you trust test your configuration to make sure you didn't
    forget anything.

    These couple steps will make your system much more secure.

    Cheers!

    |15 ß Þ |15StackFault |08<|03.|11.|15P|11h|03EN|11o|15M|11.|03.|08>
    |11 Ý ß |11The Bottomless Abyss BBS
    |03 ß Ýß |03ssh|08.|072222 |08/ |03telnet|08.|072023 |08/ |03https
    |08 ÜþÞ |08bbs|07.|08bottomlessabyss|07.|08net

    --- Mystic BBS v1.12 A39 2018/04/21 (Linux/64)
    * Origin: The Bottomless Abyss BBS þ bbs.bottomlessabyss.net (700:100/33)