Securing VPS?

[StealWonders]

Hey guys,
I was wondering of some people could give me some information about securing a vps.
I know some basics like changing the ssh port and disableing the root account. (Maybe even ssh keys) But what else is there and how would I set it up?
Thankyou in advance!

 

[StealWonders]

Due to some error I posted this 4 times... Please delete the other ones.

 

[Zigenzag]

Hi CookieST,

Probably want a decent Firewall setup.

I generally use the firewall CSF with Webmin to configure it.

Other things are like securing your MySQL. MySQL comes with a script to get started which you can use by typing a command. I believe the command is:

mysql_secure_installation

 

[StealWonders]

Hi CookieST,

Probably want a decent Firewall setup.

I generally use the firewall CSF with Webmin to configure it.

Other things are like securing your MySQL. MySQL comes with a script to get started which you can use by typing a command. I believe the command is:

mysql_secure_installation

So baiscly blocking all ports and then whitelisting some?

 

[Zigenzag]

That and protecting agains port scans, port floods and stuff along those lines. CSF is very powerful

 

[StealWonders]

That and protecting agains port scans, port floods and stuff along those lines. CSF is very powerful

Thanks Anything else you would like to share?

 

[Zigenzag]

Well what are you going to be doing with the VPS. It entirely depends on your setup really.

 

[StealWonders]

Well what are you going to be doing with the VPS. It entirely depends on your setup really.

Hosting some gameservers for friends.

 

[Zigenzag]

Well you could change the gameservers default ports and then point to the gameservers using a domain and SRV records to help prevent automated attacks.

 

[StealWonders]

Well you could change the gameservers default ports and then point to the gameservers using a domain and SRV records to help prevent automated attacks.

Is there a guide on how to setup that Firewall you talked about that blocks scans?

 

[Zigenzag]

Firstly install webmin: http://www.webmin.com/rpm.html
Then install CSF: https://download.configserver.com/csf/install.txt

Then you just need to configure it, just have a look through the settings and leave the options that you dont understand as default

 

[RedSquareWeb]

Honestly, it's not really necessary to change the SSH port, but no harm in doing it either.

Some simple steps you can take:

• Configure your firewall correctly (duh...but most people don't put in the time to actually do this)
• SFTP, not FTP
• Put all DNS records pointed to the server through CloudFlare (greatly reduce DDOS attacks)
• Don't disable root...just do not grant anybody (including employees) root access.
• Secure MySQL (the script it comes with is fine). Also, use MariaDB over MySQL.
• CSF = good
• NEVER expose your server's IP (this goes along with putting all of your DNS records through CloudFlare).
• Use SSL for any web/data hosting

By no means is that a comprehensive, all-inclusive list.

 

[Tripps]

Honestly, it's not really necessary to change the SSH port, but no harm in doing it either.

Some simple steps you can take:

• Configure your firewall correctly (duh...but most people don't put in the time to actually do this)
• SFTP, not FTP
• Put all DNS records pointed to the server through CloudFlare (greatly reduce DDOS attacks)
• Don't disable root...just do not grant anybody (including employees) root access.
• Secure MySQL (the script it comes with is fine). Also, use MariaDB over MySQL.
• CSF = good
• NEVER expose your server's IP (this goes along with putting all of your DNS records through CloudFlare).
• Use SSL for any web/data hosting

By no means is that a comprehensive, all-inclusive list.

Actually it is better to disable root login and just do sub user accounts with ssh key access. With the ssh key access you would also do 2fa and go through the auth logs every week to start banning ips that connect to ssh (had mass attacks on my box so that would be why you would blacklist/ban ips). Secondly the firewall configuration is simple, depending on the operating system you would use "ufw" or "iptables" on ubuntu you can use ufw over iptables. With cloudflare you are able to make a self signed ssl key and use cloudflare to verify it. Now for MySQL if it is only local connections that need to be done then just change the binding address so only the local server can access it (no need to use MariaDB imo).

 

[RedSquareWeb]

Tripps Agreed. The SSH key route does make it easier to manage access. I usually like to keep root around though, in case it's ever needed (aka, something goes wrong).

The main reason I recommend MariaDB over MySQL is simply because it's better. Extremely similar to MySql, and fully compatible, but still better overall. It's certainly not a game changer though.

 

[Tripps]

Tripps Agreed. The SSH key route does make it easier to manage access. I usually like to keep root around though, in case it's ever needed (aka, something goes wrong).

The main reason I recommend MariaDB over MySQL is simply because it's better. Extremely similar to MySql, and fully compatible, but still better overall. It's certainly not a game changer though.

Well with the subusers you just give them all perms via "user ALL=NOPASSWD: ALL" (this will allow you to do sudo su, and log straight into root without confirmation). I mean I haven't used MariaDB very much, but that being said can you show the facts of how it is better (I haven't personally messed with it so I am curious what the actual facts of it being better are)? xD

 

[RedSquareWeb]

MariaDB was made by many of the same developers as MySQL, and it pretty much runs the exact same engine and what not. There are however a couple of security and performance differences that make it favorable. Actually, I can't really say that so definitively; lots of benchmarks and anecdotes show its performance ranging from "exactly the same as mySQL" to over 80% faster.

But more concretely, MariaDB is much more actively developed, and update/security fix information is much more accessible.

Here's a decent article that briefly summarizes it, actually. It's nothing too in-depth, but it'll give you a general idea:
https://seravo.fi/2015/10-reasons-to-migrate-to-mariadb-if-still-using-mysql