Webmaster Security

Absolute basic security steps you should take once you got yourself a server

Submitted by gobkq0, , Thread ID: 106377

Thread Closed
gobkq0
Novice
Level:
0
Reputation:
0
Posts:
20
Likes:
2
Credits:
5
15-11-2018, 01:53 AM
This post was last modified: 15-11-2018, 01:54 AM by gobkq0
#1
Intro:
This is going to cover the very basics about what you should do once you have got yourself your first server ( be it a root server or a v-server)

I am not going to throw it inside of a hide tag, since I think everyone should be able to access it, regardless of their points.
But I am going to throw one below in case you want to thank me.


The first thing to keep in mind is that you are responsible for your server.
If it gets hacked and someone uses it to do illegal things (be it spamming, dosing, attempting to bruteforce other systems or even using it to host/download child-porn) at the end of the day the provider is going to refer whoever sends a abuse mail or comes along with a warrant to you.
And you will have to explain to them what you did and how you did it.

Of course your primary goal should be to avoid getting there.

I will not be able to cover a lot of things here, but I can give you some hints into the right direction.


Think about it long and hard:
Keeping a server requires quite a bit of time, effort and knowledge.
I strongly recommend that you start by running a vm on your pc to get used to linux operating systems.
Go through the steps I outlined below.
Make sure you understand them.


SSH-Key-Authentication:
When you get a server, it is usually configured with a root password.
If you generate a ssh key pair, configure ssh key authentication and disable password authentication, that will pretty much prevent brute force attacks from being successful.

A example how to do that is here:
https://www.linode.com/docs/security/aut...-with-ssh/

If you are using Windows as OS on your desktop computer, you might wantto use puttygen to generate the ssh keys

Make sure to select a key length of 4096 bits when generating a RSA Key.
Use a strong password for the private key.
Make sure to backup the public and private key.
Use the "Public key for pasting into OpenSSH authorized_keys file:" to paste into the authorized keys file (and not the one generated by "Save public key)


Disable password authentication afterwards, but ensure that the ssh key authentication works (a common pitfall are incorrect permissions on the .ssh folder or the authorized_keys file; Make sure only your own user can write to them)

In addition, you could setup a two factor authentication (you can save the ssh private key on a yubikey or smartcard; or alternatively use otp with the yubikey)
But for most servers the security provided by ssh key authentication is sufficient.


Set up a Firewall:
Setup a inbound firewall (must) and possibly a outbound firewall (should)

The easiest option available is ufw.



You can also look into iptables. Its has a higher difficulty compared to ufw, but it can do few more things.

The exact setup depends on the services you want to run and the firewall you choose.


Regular Updates:
A server isnt something you set up once and just forget.
It needs regular updates.

The lazy option is to use ubuntu server with automatic security updates enabled.
You should definitely do this. There is a very slim chance that a security update is going to break something, but for a private VPS that is acceptable.


Automated Backups:
Make sure you have a working backup strategy.
The backups should be saved on a remote host.
Ideally that backup-host would pull the backups (instead of the server pushing the backup to the remote location)
You should regularly check if that backup strategy is still working.


Fail2Ban:
It is a good practice to setup Fail2Ban or DenyHosts for the services you run on your server.
Both tools will scan the logs generated by your services for bruteforce attacks and then ban the IP of the attackers.
There are ways around that, but it can help against most script-kiddie attacks.


Monitoring / Alerting:
Setup Monitoring / Alerting tools for your server, so you know if there are issues.
For a single server monit is a good choice:https://mmonit.com/monit/

You could also go with icinga or quite a fewother tools, but that is usually overkill.


Regular Maintenance:
Regularly connect to your server and check if there are any updates:
Check your logs if there is anything suspicious or unusual.
Check if your backup is working (if the jobs have been executed and if it cant be restored)


Conclusion:
As i mentioned a few times: Running a server is quite a bit of work.
Make sure to look into the servers you run.
Automate updates whenever possible.

Think about the services you want to host on your machine.
Limit the ports your machine can be accessed with to the absolute necessities.

If you just want to do webhosting, it is usually cheaper to go to a hostingprovider (yes, there are certain limits, but you dont have to bother with the security of the server, isolating different applications, ....)

A few personal recommendations:
  • Only get a server if you absolutely have to
  • Docker can be useful to isolate multiple applications from each other (use official images whenever possible; docker is a good start, but its not everything)
  • Minimize the number ofservices you run and thereby minimize your exposure.

  • Caddy is nice, especially if you just want to host static files or need a reverse proxy for a few (other) docker containers
  • Make sure to have someone you can ask if you have questions.
    Dont hesitate to ask them if you are unsure about something.
  • Dont let any "guru" from the internet access your server because they claim they can fix something.
  • Be ready to nuke it and start from scratch.
    If you suspect the server might be compromised, nuke it and start over from scratch.
    In that case you should either discard the backup or make sure it is not compromised aswell.
  • If you want to take it a step further, look into automation. For example ansible, puppet or chef.
  • It doesn't always have to be wordpress (Jekyll might be sufficient aswell)

If youd like me to cover something in more detail or if you spotted a mistake, let me know in topic.

And if you liked it feel free to click on the hide button. (There is nothing important inside; as I explained above)
Content locked
This content has been locked. Please login or register in order to unlock it.

RE: Absolute basic security steps you should take once you got yourself a server

r1n9zer0
Newbie
Level:
0
Reputation:
0
Posts:
12
Likes:
0
Credits:
15
29-11-2018, 08:45 AM
#2
Very helpful, for me, Fail2ban has blocks millions of attempts to brute force my systems. It could also help to change the default port for some services so it cannot be brute forced as easily as it being the default port.

RE: Absolute basic security steps you should take once you got yourself a server

memba
Newbie
Level:
0
Reputation:
0
Posts:
18
Likes:
0
Credits:
10
07-12-2018, 12:21 AM
#3
:lit: It's a beautiful article. I have my own server and protection can be really hard. :lit:

RE: Absolute basic security steps you should take once you got yourself a server

marouene19
Newbie
Level:
0
Reputation:
0
Posts:
15
Likes:
1
Credits:
15
10-12-2018, 09:24 PM
#4
great article, and I admit that it is necessary to keep your server up to date , be secure 3 months before it does not prove that you are safe now, you must always maintain the system and be at current of all hack news

RE: Absolute basic security steps you should take once you got yourself a server

Miskvo
Lurker
Level:
0
Reputation:
0
Posts:
1
Likes:
0
Credits:
2
11-12-2018, 05:45 PM
#5
thanks for the hack Smile)))) hope u like my reply love u
:dquestion:

RE: Absolute basic security steps you should take once you got yourself a server

slushpuppy
Newbie
Level:
0
Reputation:
0
Posts:
14
Likes:
0
Credits:
0
15-12-2018, 09:33 AM
#6
make sure u also get a host with good ddos protection

RE: Absolute basic security steps you should take once you got yourself a server

BURST
$ cat /etc/passwd
Challenge
Expert in Security
Level:
1
Reputation:
70
Posts:
1.35K
Likes:
149
Credits:
169
16-12-2018, 03:07 AM
#7
They protect a whole system. However, it is necessary to keep the server up-to-date and to ensure continuous optimization. A lot of plug-ins installed on the server is old. These plug-ins always make the server vulnerable to security. You have to be careful.
[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]

RE: Absolute basic security steps you should take once you got yourself a server

m00nshine
Newbie
Level:
0
Reputation:
0
Posts:
16
Likes:
0
Credits:
14
25-12-2018, 01:33 PM
#8
This is some really nice advise!
It was nice to refresh my memory on some of these aspects!

RE: Absolute basic security steps you should take once you got yourself a server

mockanapka
Closed Account
Level:
0
Reputation:
0
Posts:
16
Likes:
0
Credits:
24
31-12-2018, 04:31 AM
#9
o complete the registration process on Nulled, you will need to go to the URL below in your web browserdsad a asd

RE: Absolute basic security steps you should take once you got yourself a server

01-01-2019, 08:26 AM
#10
keeping server up to date, host with good ddos protection. Thanks for the advice

Users browsing this thread: 1 Guest(s)