Reading lowendtalk today I was reminded of a few of the tricks I use to make my access to my vps a little safer and less vulnerable to attack.
One of the first things I do and advise others to do is change the port number of SSH if you are using SSH to login.
Look in /etc/ssh/sshd_config and change the port number from the default 22 to a 4 or 5 figure number e.g. 10000, choose something random yourself.
$ nano /etc/ssh/sshd_config
Once you have changed it, issue this command:
$ /etc/init.d/ssh reload
Now that your port has been changed successfully you need to log out, and the next time you connect you will use the port alias to connect.
$ ssh me@myserver.com -p 10000
This will limit the opportunities for brute force entry, but they will still try. You can also slow them down a bit by adding this to your /etc/init.d/rc.local
-I INPUT -p tcp --dport 10000 -i eth0 -m state --state NEW -m recent --set
-I INPUT -p tcp --dport 10000 -i eth0 -m state --state NEW -m recent --update --seconds 90 --hitcount 4 -j DROP
Notice the value after –dport is your new port number for ssh.
These rules will automatically block ip addresses that attempt more than 3 new connections to your server within 90 seconds. The ip address of each attacker will be blocked for 90 seconds which should be enough to timeout the script running the attack.
Now that we have made these changes the number of failed attempts to login should drop away in your /var/log/auth.log file, you can check this with:
$ cat /var/log/auth.log | grep -c -i "failed"
Another good protective step is to stop using your root account login if you are and only use sudo su if you need to step up to root level.
First check you do have a sudo group to add your user too:
$ visudo
If you have a sudo group then add a new user, add them to the sudo group, then check the group they now belong to:
$ adduser newuser
$ usermod -a -G sudo newuser
$ groups newuser
Then change your root password and log out, and never log in again with root.
$ passwd
Tip: When you log in again as the new user and switch to root use the -l parameter to inherit your existing bash_profile.
$ sudo su -l
Other tips:
You could also hide the version numbers of software you have running. Apache and PHP for example have ways of hiding this information:
To make Apache stop sending its version number to any visitor do as follows:
Edit the file http.conf or apache2.conf and add the following lines.
ServerSignature Off
ServerTokens Prod
Restart Apache
And for PHP:
Edit the php.ini file’s following options.
expose_php = Off
display_errors = Off
Restart Apache or PHP depending on how you have it configured.