Guide to Improving VPS Security
1. Change the SSH Port
Port 22 is a common target for attacks. To change it:
- Edit the SSH configuration:
nano /etc/ssh/sshd_config
- Locate and uncomment the line with
#Port 22, then set a new port number above 1024:
Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
- Save and exit (Ctrl + X), then restart SSH:
service sshd restart
- Verify connectivity through the new port while keeping the old session open. Update IPTables to allow the new port:
nano /etc/sysconfig/iptables
Add:
-A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT
- Save and restart IPTables:
service iptables restart
2. Use Strong Passwords
Ensure all passwords are strong. Follow these guidelines:
- Minimum 10 characters.
- Mix of numbers, letters (both cases), and symbols.
- Example:
T=ep@Uy*ST
Change the root password with:
passwd
3. Disable Root User
For security, avoid using the root account directly:
- Create a new user:
useradd namehere
passwd namehere
Disable Root Login to SSH
Now, disable root login to SSH by editing your sshd_config file:
nano /etc/ssh/sshd_config PermitRootLogin no (make sure you remove the #)
Now save and exit Nano (Ctrl x) and restart SSHd:
service sshd restart
For future SSH connections, use the newly created “namehere” user. To execute commands with root privileges, use the su command followed by the root password.
Restrict SSH Access by IP Using IPtables
To enhance security, restrict SSH access by IP, but ensure you have a static IP.
Open your IPtables rules file:
nano /etc/sysconfig/iptables
Locate the line with --dport 22 and add the following line above it, replacing #### with your SSH port and 192.168.0.1 with your IP address:
-A INPUT -p tcp -s 192.168.0.1 --dport #### -j ACCEPT
Save and exit Nano (Ctrl + X) and restart the IPtables service:
service iptables restart
Install RkHunter
To check for rootkits, backdoors, file changes, and hidden files, install RkHunter.
- Install RkHunter with the following command:
Set up a daily cron job to update RkHunter and run a scan. Create and edit a new cron script:
nano -w /etc/cron.daily/rkhunter.sh
Add the following script, replacing “PutYourServerNameHere” with your server's hostname and “your@email.here” with your email address:
#!/bin/sh
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
/bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.here
Save and secure the script by setting proper permissions:
chmod 700 /etc/cron.daily/rkhunter.sh
Test RkHunter by running a manual scan:
rkhunter -c -sk
Your server is now better protected!
Install CSF (Config Server Firewall)
CSF provides extensive protection and is more user-friendly than direct IPTables management.
Check for Perl Installation
Verify if Perl is installed:
perl -v
If Perl is not installed, use the following commands to install it:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraphyum install perl perl-libwww-perl perl-Time-HiRes -y
Install CSF
Download and install CSF:
Verify Required IPTables Modules
Ensure that you have the necessary IPTables modules:
perl /etc/csf/csftest.pl
Missing modules may reduce some CSF functionality, but as long as no fatal errors are reported, it should work.
Configure CSF
By default, CSF whitelists your IP and operates in test mode, which clears rules every 5 minutes. This mode helps you adjust settings without locking yourself out. Once your configuration is confirmed, you can disable test mode.
Edit the CSF configuration file to include your new SSH port:
nano /etc/csf/csf.conf
Update the TCP ports:
# Allow incoming TCP ports
TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,####"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,####"
Next, locate CONNLIMIT = "" in the CSF configuration file. Set limits on the number of concurrent connections per IP for commonly attacked ports like 21 (FTP), 80 (HTTP), and your new SSH port. This setting applies only to TCP.
CONNLIMIT = "21;5,####;5,80;20"
Then, configure port flood protection just below CONNLIMIT. Add the commonly attacked ports to limit the number of connections allowed at one time.
PORTFLOOD = "21;tcp;5;300,80;tcp;20;5,####;tcp;5;300"
To specify the email address for CSF reports, find X_ARF_TO = "" and set it to your email:
X_ARF_TO = "your@email.here"
Save and exit your editor (Ctrl + X). Start CSF with:
csf -h # Shows a list of CSF commands
csf -s # Starts CSF
Open another SSH session to verify you can connect to your server. If successful, proceed to disable testing mode so the Login Failure Daemon (LFD) can operate.
Edit the CSF configuration file again:
nano /etc/csf/csf.conf
Find TESTING = "1" and change it to TESTING = "0". Save and exit (Ctrl + X), then restart CSF:
csf -r
Finally, remove the install archive:
cd ../
rm -fv csf.tgz
That's it! Your server is now more secure.
