Hardening your server is perhaps the best way to prevent, or at least reduce, attacks on your server. What follows is a basic overview of what you should do to harden your server. If you are not completely comfortable doing this, you should retain the services of someone who is, to avoid data loss.
The key service you want to secure is SSH, as that is perhaps the most vulnerable. If someone should have access through this protocol, they would have complete power over your server, and all the sites on it.
If you log in to your server by using the “root” username, that is the first thing you want to fix. Log in, and then create a new user:
adduser [user] -G wheel
By doing this, you’ve just created a user that is added to the wheel, or list of users who can gain root authority.
Next, give the username a password:
Now you’ll want to open up a new SSH window, and try logging in under the new username and password. If this works, you can then su to root. This way, a hacker would need to bypass security on two usernames instead of one. If the worst happens, and a hacker gains access to your administrative username, but does not have the root password, he or she can’t visit complete havoc upon your server.
Next, you’ll want to change the port that your SSH protocol is on. The default is 22, and this is common knowledge. So, you’ll want to choose another port to make it harder for hackers to find and potentially exploit your SSH protocol:
Open the following file, substituting “nano” for “vi,” or any other favourite text editor.
Look for the following elements:
Port– It’s currently 22. Change it to an unused port such as 2199.
PermitRootLogin- If it’s commented out with a “#,” uncomment it, and change it to “no.”
You will now need to restart SSH to make your changes effective. You can accomplish this by issuing the following command:
Now your SSH protocol is secure, and you’ve checked one item off the list of ways to harden your server. I will discuss in future posts yet more ways you can harden your server, including disabling unused services, and securing your e-mail and FTP ports.