How do you secure your server(s)?

[WelltodoInformalCattle]

I'm simply curious, how do you folks secure your servers? I'm currently using a mix of logwatch, psad, and CSF for instance yet I can't help but still feel vulnerable.

Any tips are greatly welcomed and I'm sure they'll be useful for the inexperienced such as myself!

 

[kunnu]

Respectable voss,

+ We use Linux Malware scanner(Malware Detect)

+ ClamAV Scanner

+ Never use old/outdated script/software/OS

+ Always read hosting security related latest news

 

[wcypierre]

1. if you're running a hosting a website, you can add modsecurity/php ids to it to prevent webbased hacking.

2. limit the services that you're supposed to run(if some services are only used once in a while, then turn it off and turn it on based on demand)

3. if certain services are only to be accessed by you, then limit it to a predefined set of ip for better security(like ssh)

However, "Never use old/outdated script/software/OS" -- provided that it doesn't breaks anything, so, always do a backup before upgrading

 

[GIANT_CRAB]

Here: http://lmgtfy.com/?q=how+to+secure+server

Plenty of answers.

 

[WelltodoInformalCattle]

Yes, I'm aware of the power of Google but if there's anything that pisses me off it is being told to Google something when I'm merely curious as to how people plug potential sources of vulnerabilities on their servers.

It would have been easier to ignore this thread then to have made a comment that contributes nothing to it @GIANT_CRAB

 

[SeriesN]

Here: http://lmgtfy.com/?q=how+to+secure+server

Plenty of answers.

Stop being a douchebag. Doesn't help this forum.

 

[wcypierre]

Yes, I'm aware of the power of Google but if there's anything that pisses me off it is being told to Google something when I'm merely curious as to how people plug potential sources of vulnerabilities on their servers.

It would have been easier to ignore this thread then to have made a comment that contributes nothing to it @GIANT_CRAB

btw, try and list down the services that you use, its pretty to hard to say about anything when you don't state anything.

 

[365Networks]

Usually I set up denyhosts right away and modify the /etc/ssh/sshd_config

I usually delete any services I am not using/running, as those can be a security hole as well if let unmonitored.

 

[365Networks]

I have a client who runs CHkrootkit & RKHunter, as well as Maldet + ClamAV. Seems a bit too much?

Surely ClamAV + Maldet should be enough?

 

[drmike]

I rated this 5 stars.  Good topic.

Generally, locking down SSH --- moving it to non standard port, not accepting user style password keyed in logins.

Deny style scripts to monitor malicious attackers and block them on IP basis.

DDoS script to babysit packet flow.

IPTables to limit packet flow ceiling

 

[365Networks]

I also like to set up a 'dummy' SSH daemon on port 22, still looking for a solid way to get it to log all requests via email, daily.

Also, if you have IPv6 at home (or where ever you SSH from), have SSHd only listen on an IPv6 address, this should stop 99% of all bruteforce/SSHd exploit attacks as most target via IPv4.

 

[HalfEatenPie]

Well...  This obviously depends on what you're using the server for.

In terms of SSH, immediately after installing the OS I move it to a non-standard port, require key logins (+ password), setup e-mail alert on SSH Logins (many resources on the internet for that actually!  But here's one for root: http://www.webhostgear.com/43.html ) and obviously don't allow root login via SSH.  

IPTables are your best friend.  Custom scripts that monitors changes to your log files would also be fantastic.  Most of the times if I'm feeling lazy I have it set to monitor the logs of each services and then temporarily drop the connection to that IP depending on how frequently they attempt to access something (and is denied).  

I also put monitoring (SNMP) on each VM and link it to two of my Observium monitoring nodes.  

This is usually the groundworks once you get the OS and such installed.  If you use apache and such then you go further in-depth with the security measures and settings.

Each new piece of software you introduce into your server provides another vector for possible attack (or so as I feel).  Therefore just being able to lock it down would be nice.  I haven't really seen a need for ClamAV personally so don't really know if I should start including that into my system.  Anyone have any opinions? 

 

[hzr]

By installing ZPanel, my server becomes fully managed by everyone

So I don't need to worry about securing it.

 

[dmmcintyre3]

I leave them at the BIOS screen with a no OS found error. (having drive issues)

 

[D. Strout]

I leave them at the BIOS screen with a no OS found error. (having drive issues)

Undoubtedly the most secure so far.

Here's what I know I should do: minstall (dump all unnecessary/possible vector services that way), reinstall SSH with root access off, run on a high port with key-based login only using a frequently changed password-protected key.

But I don't do that. Just an unencrypted key-based auth, port 22, password-based access off. Before you start screaming, ask yourself: will someone just scanning port 22 even keep trying once they see that password authentication is off? Move on to easier targets! See http://xkcd.com/538/ - title text especially.

 

[Quexis]

Undoubtedly the most secure so far.

Here's what I know I should do: minstall (dump all unnecessary/possible vector services that way), reinstall SSH with root access off, run on a high port with key-based login only using a frequently changed password-protected key.

But I don't do that. Just an unencrypted key-based auth, port 22, password-based access off. Before you start screaming, ask yourself: will someone just scanning port 22 even keep trying once they see that password authentication is off? Move on to easier targets! See http://xkcd.com/538/ - title text especially.

For my personal server(s), this.

 

[drmike]

@D. Strout hit my summary on the SSH lock down spot on.  You should consider authoring the cliff notes / Howto for your install/hardening in this area.

Nice to see minstall mentioned   Deja vu, three or more mentions of it in past 24 hours.

Full release (open source) and general info on what minstall is here:

https://github.com/KnightSwarm/Minstall

 

[HalfEatenPie]

Yep I guess I forgot to mention minstall on mine.  

While I agree that you don't want to be the low hanging fruit I believe you should at minimum change the port.  

 

[peterw]

For ssh: http://vpsboard.com/topic/103-simple-security/

For iptables: http://vpsboard.com/topic/980-iptablesip6tables-one-file-script/

Still don't know which log monitor tool is the best.

 

[WelltodoInformalCattle]

I created this thread because well, why not ask people that are in this industry? They encounter and mitigate attacks almost daily. Thanks for the info, I'm sure other people will find this thread useful if they're not as security conscious as you all.