Cloud and VPS Servers Security guidelines
From
StackFault@700:100/33 to
All on Sat Jan 12 20:20:45 2019
Hi!
I wanted to start a thread regarding VPS and smaller cloud-based servers hardening practices and security best practices.
I would like anyone to contribute with step and or configuration based on
their own experience to enhance this and hopefully make it better.
Here are the basic steps I do when I setup a VPS hosted directly on the Internet, with no other network security devices in place. Since the
specifics of each requirements can change, this will only covers the basic server setup.
1. Install a recent, proven and supported distro.
2. Disable any unneeded services and verify which ports are open using the
various commands (netstat, ss, etc).
3. Create a regular user and add it to sudoers, do not use root for your daily
use and use sudo for privileged commands.
4. Generate an SSH keypair and add the public key in
~/.ssh/authorized_keys and set permissions to 400 (r--------)
5. Test you can connect using your SSH key.
6. Harden your SSH configuration by increasing the server key size, disabling
weak ciphers, weak hashing algorithms and password authentication.
7. You may also want to change the SSH port to reduce the amount of
neverending port scanning logs entries. Changing the port won't increase
security.
8. Install and configure fail2ban to blacklist users with too many bad
passwords (won't affect you, you use an SSH key remember?!).
9. Install and configure ufw. You can then only open the services you want
accessible and define authorized sources. No complex iptables knowledge
required. Don't forget to enable it after it's configuration.
10.Bind as many services to the loopback interface, if not needed, don't open
it.
11.Use SSH tunnelling for your administration tasks like managing a database
or accessing a service running locally on the server the public don't need
to access. Don't expose services not required to be publicly accessible. 12.Install and configure logrotate to make sure your logs are rotated,
compressed and removed after a defined period. Avoiding high storage usage. 13.If you install a web service, secure it with Let's Encrypt using certbot
and test your configuration against SSL Labs' testing service. Get the
highest score you can get while keeping device compatibility.
14.Validate your network exposure remotely on a frequent basis.
15.Ensure proper security banners, proper audit configuration and logging is
in place.
16.Set proper email to your server can email you it's notifications. Most
distro will send emails to root for issues, make an alias to your email to
you get them in a central place. You will most likely have to replace the
mailer for something capable of sending Internet mail like postfix.
17.Get an outsider you trust test your configuration to make sure you didn't
forget anything.
These couple steps will make your system much more secure.
Cheers!
|15 ß Þ |15StackFault |08<|03.|11.|15P|11h|03EN|11o|15M|11.|03.|08>
|11 Ý ß |11The Bottomless Abyss BBS
|03 ß Ýß |03ssh|08.|072222 |08/ |03telnet|08.|072023 |08/ |03https
|08 ÜþÞ |08bbs|07.|08bottomlessabyss|07.|08net
--- Mystic BBS v1.12 A39 2018/04/21 (Linux/64)
* Origin: The Bottomless Abyss BBS þ bbs.bottomlessabyss.net (700:100/33)