Powered by Blogger.

Is there anything I can improve on my vps security?

By Unknown Posted On 10:59 // Leave a Comment

Hello, I'm not the best in linux but I have my own little way of setting up my vps and would like to know if anyone might have any improvements over my setup. I only run a webserver on port 80. So what I do is turn off the ssh root login and set the max ssh failed passwords to 2 trys. But then I also have a port knocking system in iptables so lets say you have to knock port 6000 then 2222 before 3 seconds and then port 22 opens for the ssh connection to whoms ip knocked it open(for 5 seconds). I don't really want to use ssh keys, but I think my way is more then enough right? If someone does try to brute force it(after they find the port knocking) they only have 2 password attempts then get banned for 300 seconds.


Anyways. this is how I setup my debian 7 vps if anyone is curious. It's a vanilla security setup. I rather not use other programs like fail2ban.



Debian 7.0 64-bit

$ apt-get update

$ apt-get upgrade

$ apt-get install nano

$ adduser @@@@@@@@@@@
userpassword:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

$ nano /etc/ssh/sshd_config
change permit root login to no
add this to the bottom "MaxAuthTries 2"

$ /etc/init.d/ssh reload


######################### setting up the firewall #########################

$ nano /etc/iptables.temp.rules

"
*filter

-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent  --update --seconds 300 --hitcount 3 -j DROP

-N INTO-PHASE2
-A INTO-PHASE2 -m recent --name PHASE1 --remove
-A INTO-PHASE2 -m recent --name PHASE2 --set
-A INPUT -m recent --update --name PHASE1
-A INPUT -p tcp --dport @@@@ -m recent --set --name PHASE1
-A INPUT -p tcp --dport @@@@ -m recent --rcheck --name PHASE1 -j INTO-PHASE2
-A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name PHASE2 -j ACCEPT

-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

COMMIT
"

$ iptables-restore < /etc/iptables.temp.rules

$ nano /etc/rc.local
iptables-restore < /etc/iptables.temp.rules

###################################### NOW the firewall is setup and done


any criticism is welcome


http://ift.tt/1dvHQ0Z
Labels: ,

0 comments:

Post a Comment