Increasing Server Security
The security of our servers is of paramount importance. We have a strict security policy that
encompasses many areas including a security-hardened operating system, functional isolation of each
VPS, and careful monitoring and updating of applications. However, our customers must also share in
the responsibility of keeping each of their VPS accounts secure by using good passwords, avoiding
insecure scripts and applications, and following other security best practices.
Some of you may have seen reports of distributed server scans that are initiated by potential hackers.
Essentially, these hackers scan Internet servers for vulnerable scripts and/or vulnerable users
(users with weak passwords). One of the most popular of these scans is trying to login into SSH as
common users like 'root', 'guest', 'admin', or 'test' and then attempting to crack weak passwords
(it's even easier if no password has been configured for one of these users). We think it is important
to make you aware of these scans and also provide you information that will keep you from becoming a
victim of one of these attacks.
One of the benefits of our FreeBSD VPS plans is root access. Every VPS account is provisioned with a
root user. Because the root user has significant flexibility and power, it is important that this
feature be used carefully.
First, you should set a strong password for all users, especially the root user. Choose a password
that uses a variety of characters on the keyboard. Specifically, choose a password that meets the
following criteria:
- Your password has both upper and lower case letters.
- Your password has digits, punctuation marks, or other symbols (do not use a word where some letters are simply replaced by digits such as bl0wf1sh).
- Your password is not based on your login.
- Your password is not a real word (e.g., something you'd find in a dictionary or a list of proper nouns).
- Your password is seven or eight characters long.
- Your password is something you can memorize; if you can't seem to memorize something with strange characters, make your password longer, preferably 12 characters or more; adding just one or two characters to your password length has a huge effect mathematically on the strength of your password.
- Change your password at least every six months and change it immediately if you've had to login over plain text for any reason.
For additional information on choosing a strong password, see:
Passwords
Second, you should always login to your VPS server as a user OTHER THAN 'root' (either as the admin user
created during account provisioning or some other user you've added) and then 'su' to root when you need to
do something as root. Additionally, never run a website as root (where the website files are owned by the
root user).
Lastly, it is important to secure access to applications that are frequently the subject of scans (like SSH).
Here are a few important tips for securing SSH:
- Set "PermitRootLogin no" in sshd_config: now *any* root login attempts will fail. You should
login to a user account (with a good password!) and then 'su' to root as needed. sshd_config is located in
the /etc/ssh/ directory.
- There are other settings in sshd_config that can be modified; refer to the ssh_config man page.
Specifically review MaxStartups, which specifies the maximum number of concurrent unauthenticated connections
to the ssh daemon, and PasswordAuthentication, which can be set to 'no', thus requiring SSH users to login
with a private key instead of a password. sshd_config is located in the /etc/ssh/ directory.
For details on the above recommendations and other tips for securing your VPS servers, please visit the
following URLs:
Increasing Server Security
The following steps should increase the level of security of your Servers.
Please keep in mind security is a way of life and a life style. It is a set of procedures and
policies that must be malleable, and yet followed consistently.
Never allow yourself to feel too safe or too secure; always check things out, always be open to
learning new ways, always be on the look out.
Never blindly follow security instructions -- read, review, compare, apply as it fits your system.
- Follow a Best Practices approach
- Install patches as necessary; do on a regular basis
- Change your passwords on a regular basis.
- Disable telnet
- Do an initial hardening of the operating system
- Remove regular user and world access from c compilers
- Secure host.conf
- Install chkrootkit, and set up in cron
- Install logcheck (similar to logwatch)
- Securing root
- Disable direct root login
- Only allow certain IP's access to SSH
- Secure the /tmp partition
- Install a firewall
- Set PHP up for safe mode on
- Turn off server signatures
- If you are going to grant shell access in a shared environment...
- Daily routine
Also see System Administrator Resources
IMPORTANT NOTE: This document is based on FreeBSD. The concepts
should be similar across operating systems, but the commands will very likely be different. Also, never
assume the directory structures exist in your system as written in the document. Never blindly follow
security instructions -- read, review, compare, apply as it fits your system.
|
