[HELP] Secure my server

Discussion in 'Systems Administration' started by cGDeadly, Nov 14, 2019.

  1. I have UFW installed, and I have enabled all the services I am using through that. I have setup Fail2Ban, disabled ssh password login, as well as root login. I use SSH-keys with a password on it. I do everything through sudo.

    Currently I am running MariaDB server, spigot 1.14.4 server, and Apache2. I also have another machine acting as a NAS for personal backups running FreeNAS. For the MariaDB server, every plugin has its own user and database, and root login is disabled (except through sudo).

    Is there any more that I can do? I want to make sure it is locked down as much as possible.
     
  2. Change SSH Ports (if not already done) to avoid script kiddies
     
  3. foncused

    Moderator Patron

    Not a bad idea but does not actually accomplish much as the new port can just be discovered.

    @cGDeadly it sounds like you have already taken care of the main concerns. You could secure your server further by disabling/removing unused services (e.g. IPv6), hardening Apache (ModSecurity, SSL certs), and disabling USB devices. Additionally always remember to keep the system updated with the latest patches and package releases to minimize vulnerability.

    These guides may be slightly outdated but most of the points made in them are still valid:
    Aside from that, ensure your firewall is set up correctly to explicitly allow specific traffic and deny/drop everything else. I personally do not care much for Fail2ban because my firewall rules already restrict SSH login to specific source addresses. For some servers (mostly those hosting web content on :80/:443) I also drop traffic from Tor exit nodes.

    If you have any interest in automated backups with rsync, feel free to check out this thread.
     
    • Like Like x 1
    • Agree Agree x 1
  4. I have done this as well
     
  5. Thank you for the resources! I am definitely going to go through those and make sure I make it as secure as possible.
     
  6. Strahan

    Benefactor

    Yea, that's called "security through obscurity" and is generally considered to be a waste of time.
     
  7. One thing I am having trouble with is the IPTables, I need to to work with Apache2 (80, 443), MariaDB, Minecraft server port 25565, and my SSH port.
     
  8. foncused

    Moderator Patron

    Example rules:
    Code (Bash):
    # Apache
    iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
    # Minecraft
    iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT
    # Minecraft query
    iptables -A INPUT -p udp -m udp --dport 25565 -j ACCEPT
    # SSH
    iptables -A INPUT -s <your IP address(es)> -p tcp -m tcp --dport 22 -j ACCEPT
     
  9. Devins

    Devins Previously Xerolyph

    It's a good idea to scan your server from the outside with nmap as well to see what ports are open, and make sure you close the unused ones down. Scanning your server also shows you what a potential hacker is able to see.
    This is bad practice as previously mentioned, but I would like to add that if you don't keep the port below 1,024 (ports reserved for root), you can open a security hole that allows rogue programs without root access to take control of that port if SSH gets terminated. This is unlikely to happen, but it is good to know as it helps secure your server a bit more. Being locked out of SSH or logging into SSH with all your activity being tracked is not a good thing. Since fail2ban is in place and password access is disabled, changing the port is completely pointless and a little bit less secure if it's now above 1,023.
     
  10. Make sure that the network that your on allows this before attempting this or your service provider can and will terminate your contract for doing this (even to your own hardware).

    You will often find out by viewing the ToS or AUP.
     
  11. Devins

    Devins Previously Xerolyph

    As long as you scan your own servers/machines (you just give permission to yourself :rolleyes:), there won't be any issues. Generally, third party hosting providers like Digital Ocean encourage you to scan your server for open ports anyway. Not being able to pen-test your own server would probably result in open holes all over the place.
     
  12. Quite a useless security measure. Script kiddies will not be able to brute force SSH key login, an SSH key is equivalent to a 600 character password where all characters are unique or something like that. It would take hundreds of years for anyone to do it.