When making your Linux server more secure, you are going to want to look at four areas of the server:
- The SSH configuration
- IPTables Configuration (Software Firewall)
- The logs
.This guide assumes you know how to log into your server using SSH. If you do not know how to do this, please first read “How to connect to your server using SSH guide”
SSH – You will find that the most common way Codero.com servers are attacked, is by people using “Brute Force”attacks against SSH. You can see this happening by looking at the messages log located at /var/log/messages.
- To stop this type of attack, you can simply change the port that SSH listens on (default 22). To do this, you need to edit the sshd_config file located in /etc/ssh/sshd_config. Use the following command to edit the sshd.config file:
- Below is an example of what the sshd_config file should look like after editing:
- Note the red box in the above picture, this is where you need to change the port settings. Simply remove the comment symbol (‘#’) infront of ‘port‘ and then set the port value to 722 (or any other unused valid number in the port range). Once you make the above change and save the file, the new port is set. We simply need to open the new port in the software firewall.
- Next, we’ll need to add the port to the software firewall.
- If your server is running Plesk Control Panel, please refer to the following link for information on using Plesk to add the firewall rule:
- Otherwise, you’ll need to log into your server using SSH and edit IPTables. Once logged into the server, issue the following command to edit IPTables:
- The following picture shows the change that we’ve made to the iptables firewall:
- The line with the red box around it, is the only change/addition to the file. Please take care to not change any other values while in this file.
- Now we need to first restart iptables, and then restart ssh. Issue the following commands in this order:
- Now SSH is listening on port 722
Logs – The next part of this guide concerns logs.
- Logs are extremely useful
in Linux, the main thing that you are going to look at is the
- logs. All of these logs are kept in the
- directory on the server. To access
- log into your server using SSH and issue the following command:
- You will get an output that looks like the following picture:
- Here you can find information like who logged into the server, what ftp users connected to the server, who logged on, when the server crashed or rebooted.
- The secure log can be looked at by typing the following command:
[root@hostname]#tail /var/log/secure 100
This will give you the last 100 lines of the secure log. The secure log gives information like last log in/out, but also logs failed SSH and FTP attempts. You can find some one trying to exploit these two services easily by looking in the secure log.
- Next, you should take a look at the dmesg log. You can access the dmesg log by issuing the following command:
The dmesg log gives information about hardware, you should use this log if you think your hardware is failing.
- Finally, the messages log is a great reasource. This log contains much of the information covered in previous logs, but it gives a good snapshot of whats going on the server. To view the messages log, issue the following command:
[root@hostname]#tail /var/log/messages 100
Keeping Applications secure is the last topic we will touch on in this article. Severs are only secure as the mail accounts and Messages board that they host. If you have an open relay or bulletin board software that is out of date update it. These are surely targets for injection attacks against MySQL and PHP. keep these up to date on your server. Remember a determined hacker can break into any system but just putting a little effort in you can make breaking into your system a waste of time and they will move on to easier prey.