Standard Security Best Practices

This article describes certain standard security best practices for any Linux server and offers minimal guidelines for securing your VPS. CCOL recommends these settings for protection against most common attacks.

Note

The security practices described here cannot eliminate the attacks completely. You may learn more about these in detail on the Web and enhance the security further as per your needs.

Security Practices for User Accounts

Listed below are certain security practices applicable for the user accounts.

  1. The root user has all the administrative privileges on the Server. However, if compromised or hacked, this user can pose a severe security threat. It is thus recommended to avoid its use wherever possible.

  2. The trusted users of your VPS should have their specific user accounts, and should not make use of the root user. This will also be helpful to trace the activity logs on your Server.

  3. With sudo (superuser do), you can delegate a limited set of administrative responsibilities to the desired users, who can only work with the commands you allow them to.

  4. Eliminate unnecessary user accounts and disable shell access for daemons.

    • Run the below command and identify unnecessary user accounts from the passwd file:

      cat /etc/passwd

    • Delete unnecessary users using the command:

      userdel <username>

    • Disable interactive logins for daemon accounts by specifying /bin/false for the user's shell.

Security Practices for SSH Access

To Change the Default SSH port for Your Server

You may change the default SSH port for your Server. This will reduce the chances of attack; however, it is not a foolproof measure.

  1. Open the SSHD configuration file for editing using the command:

    vi /etc/ssh/sshd_config

  2. Uncomment the line corresponding to the Port directive, as shown.

    Note

    Make sure you use a port below 1024 (preferred range is 1 - 1024). You may check the IANA website for unassigned port numbers, if you want to ensure no conflicts are encountered.

    Change the SSH Port

  3. Restart the SSH service using the command:

    /etc/init.d/sshd restart

Going forward, all the SSH connections to your Server will only work on the new port specified port.

To Change the Authentication Method

You may switch to key based authentication, instead of password authentication.

To Restrict SSH Access

You may disable SSH access for the root user and create a wheel user.

  1. Open the SSHD configuration file for editing using the command:

    vi /etc/ssh/sshd_config

  2. Uncomment the line corresponding to the PermitRootLogin directive and specify the value as no, as shown.

    Disable SSH access for root

  3. Create an user with the command:

    useradd -p <password> <user>

  4. To add an user to the wheel group, open /etc/group using the command:

    vi /etc/group

    Note
    • A wheel user is a special user who is able to execute the su command to gain root or superuser access. This user does not require you to login as root every time.

    • You may also add an existing user to the wheel group.

  5. Edit as shown below:

    Original: wheel:x:10:root

    After editing: wheel:x:10:root,testuser

  6. Restart the SSH service using the command:

    /etc/init.d/sshd restart

To use root user commands, you simply need to prefix the commands with keyword sudo.

Example: The file /etc/passwd is owned by root, but can be edited by this wheel user using sudo vi /etc/passwd.

You can even switch to a root user using the command sudo su -, and type exit to return to your normal user.