Do you have a VPS (virtual private server) running in the cloud? Digital Ocean and Linode are some examples of some Linux based VPS. Often, the only way to test out a concept on the fly or, in other cases, you may have a full-blown web application. You want to avoid running your server unprotected. If you have ever had the chance to see a sshd failed login log, you may know what we mean. It can be down right frightening. You might see all kinds of intruder IPs coming in from countries all over the world. You will have to protect your application on numerous levels. First, you will want to check out our blog on Top 5 settings to harden your Linux SSH Server. That way, your SSH connection will be the first thing secured.
For starters, we will cover the importance of protecting your account login. Then, we will work with password protecting your admin panel if you are running a web-based application. Next, we will go over the importance of preemptively stopping pings and UDP/TCP flood prevention. Next we will talk about systemd units and how to see if you’re vulnerable. Then I will go over some software that will protect you while you go about your day, both front and back end protection. You will be able to use these practices in more than one server environment. Thus, making this general safety advice rather than a 100% guarantee that you will not experience a breech.
LOGIN & 2-FACTOR AUTHENTICATION
Next thing you really want to use, but with extreme caution, would be two-factor authentication. You have a few options here. You can use something like Google Authenticator, which depends on your phone or android device, real or virtual. Google uses time sensitive codes that expire in seconds. The most interesting thing about Google Authenticator is that it can be installed locally. That’s right, you can authenticate via terminal for login. Prompting a verification code after your password. This can be very user-friendly using the qr code feature. You will always want to download or copy and paste any backup codes you are offered. We stress this fact, due to the rigorous process you will be authenticated with if you lose them. Not to mention, being locked out of your machine locally.
Last, we would recommend a web-based plugin. If you run Firefox, then you may have heard of Authenticator. It is very similar to Google Authenticator as it generates codes the same. You will also want to be sure to save any backup codes offered. They also include a qr code function that you trace over the code in the browser. Very nice, with a manual entry option as well.
Next, We would like to talk to you about apache2-utils. We know, “What if you are running Nginx on your VPS?” You can use this utility to password protect your web-portals or even your entire site, keeping it private while building or even to give a business portal that extra layer of protection. That’s right, you can protect your WordPress login page or even your Django login. You can use it with both Apache and or Nginx, as these two powerful web servers can be used on their own or in stacks that can get rather complicated. This is not a replacement for a login page. Rather, an added layer. We would love to explain more, but we will need to write a blog all about it to explain exactly how it is used and implemented.
PINGS & UDP/TCP
Pings, the licked finger in the wind of the internet. One of the older tools that let you see if a site is up or even to see if you have networking functionality on your Linux system. Pings are great when used for good. But, hackers like to use them to see if they were successful in their work. For this reason, I like to disable them.
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
You can see we are using IP tables to help us do this. We are rejecting requests. You can protect your server from DDoS or distributed denial of service attacks by evaluating the use of UDP/TCP protocol usage. You see, these protocols can be used to induce a flood of requests. Thereby shutting your site down. Each protocol will get attention in the coming weeks as they can be complicated.
Do you know what systemd units are? To be brief, as they deserve a series of blogs. They are the meat of your system. These units describe service, socket, mount, automount, and swap to just name a few. They often need evaluation to see if you can limit the risk or be rid of it completely. For just a taste of what I mean, try this command on your system to see what pops up.
To expand further into a unit’s vulnerabilities, you can use the same command with the name of the service.
systemd-analyze security NetworkManager.service
Just running the security check can make you sulk a little. I know, it blows my mind that, so many services are seemingly vulnerable. It is important to see the context here. The good news is that you can look into what you might need to do with the information provided with these simple tests.
Finally, we bring you fail2ban. It to deserves an entire blog written about it. This wonderful application allows you to create jails to put offenders in when trying to do naughty things. You can create jails that work with Apache or Nginx to block hack-bots on your front end all the way to protecting your SSH login, making it a bit of a multi-tool. You can green light your own IP and red light anyone with very creative settings from ban time limits to using algorithms. Furthermore, you can keep it so safe that if you forget to green light your new IP, it will even keep you out. Now that is the kind of digital watch dog we all want.
We hope that you come away from this with curiosity and a need to beef up security. You are the first line of defense as humans are often the weakest link in the chain when it comes to web safety, running your own VPS. An honorable mention would also be to check if your phone number and emails have been compromised. You can check it on haveibeenpwned to see for yourself. Here we leave you to think of how you can make your site safer. Thanks for reading.