This article describes certain standard security best practices for any Linux server and offers minimal guidelines for securing your VPS. CCOL recommends these settings for protection against most common attacks.
The security practices described here cannot eliminate the attacks completely. You may learn more about these in detail on the Web and enhance the security further as per your needs.
Security Practices for User Accounts
Listed below are certain security practices applicable for the user accounts.
-
The root user has all the administrative privileges on the Server. However, if compromised or hacked, this user can pose a severe security threat. It is thus recommended to avoid its use wherever possible.
-
The trusted users of your VPS should have their specific user accounts, and should not make use of the root user. This will also be helpful to trace the activity logs on your Server.
-
With sudo (superuser do), you can delegate a limited set of administrative responsibilities to the desired users, who can only work with the commands you allow them to.
-
Eliminate unnecessary user accounts and disable shell access for daemons.
-
Run the below command and identify unnecessary user accounts from the passwd file:
cat /etc/passwd
-
Delete unnecessary users using the command:
userdel <username>
-
Disable interactive logins for daemon accounts by specifying /bin/false for the user's shell.
-
Security Practices for SSH Access
To Change the Default SSH port for Your Server
You may change the default SSH port for your Server. This will reduce the chances of attack; however, it is not a foolproof measure.
-
Open the SSHD configuration file for editing using the command:
vi /etc/ssh/sshd_config
-
Uncomment the line corresponding to the Port directive, as shown.
NoteMake sure you use a port below 1024 (preferred range is 1 - 1024). You may check the IANA website for unassigned port numbers, if you want to ensure no conflicts are encountered.
Additional Information -
Restart the SSH service using the command:
/etc/init.d/sshd restart
Going forward, all the SSH connections to your Server will only work on the new port specified port.
To Change the Authentication Method
You may switch to key based authentication, instead of password authentication.
To Restrict SSH Access
You may disable SSH access for the root user and create a wheel user.
-
Open the SSHD configuration file for editing using the command:
vi /etc/ssh/sshd_config
-
Uncomment the line corresponding to the PermitRootLogin directive and specify the value as no, as shown.
-
Create an user with the command:
useradd -p <password> <user>
-
To add an user to the wheel group, open /etc/group using the command:
vi /etc/group
Note-
A wheel user is a special user who is able to execute the su command to gain root or superuser access. This user does not require you to login as root every time.
-
You may also add an existing user to the wheel group.
-
-
Edit as shown below:
Original: wheel:x:10:root
After editing: wheel:x:10:root,testuser
-
Restart the SSH service using the command:
/etc/init.d/sshd restart
To use root user commands, you simply need to prefix the commands with keyword sudo.
Example: The file /etc/passwd is owned by root, but can be edited by this wheel user using sudo vi /etc/passwd.
You can even switch to a root user using the command sudo su -, and type exit to return to your normal user.