safety – How to provide a basic level of security for a VPS / VDS server?

Question:

Greetings. Not so long ago I began to use a VPS / VDS server, so the question arose – what should be done to eliminate obvious security holes? What interests me is the server setup, not the security in scripts and program code. The server is running Ubuntu. I would like to hear general recommendations and what you should pay attention to.

Answer:

If you put it from the official release, all the security is already there.

If you are the only real user in the system, then you do not need to do anything else. It's simple: you don't need to differentiate between rights. The exception is system users (memcache, mysql, www-data), but again, apt-get will do everything for you. System users are numbered up to 1000 ( cat /etc/adduser.conf | grep FIRST_GID , cat /etc/passwd ). Working as root all the time is not safe anyway.

In the case of such "monopoly" the password for MySQL is not necessary to set, since by default it listens only to localhost . Moreover, memcache and Mongodb without a password by default, since they are accessible only from localhost , and the time when a bunch of users (accountants, programmers, etc) worked on one server, who needed to be "filtered" by access, has passed.

root also disabled by default, and web servers run under www-data .

fail2ban I would not bet if you have a cryptographically strong password (try the apg command), login is not root and you are not paranoid. You can look at the logs a little later – there will be a brute-force root, and no one knows your username except you. And the server does not report that there is no such user. This is my IMHO.

But the really important things are timely software updates (my first share was broken through a vulnerability in some graphics package). You've probably heard about high-profile vulnerabilities like heartbleed and Meltdown. Also, do not run dubious scripts downloaded on some forum without analysis.

The second is the correct configuration of the installed software, here, as appropriate, see the documentation.

  • decided to make ftp – be prepared for a password leak, since the login-password will be transmitted through several servers in clear text. An alternative is sftp . I also recommend chroot chroot
  • let your friend use the server – chroot , MySQL password, open_basedir and shell_exec and other similar functions for PHP (see php.ini ).

Third. Most often they break through vulnerabilities in web scripts. This is a separate big topic. Examples:

  • leaked source code and site passwords from the .git repository in the root of web documents. Add blocking via .htaccess (apache) or nginx rule, or create a repository above the web document root.
  • allow the web server to write only to a single directory – "uploads" ( upload/ , media/upload/ , etc), and forbid the execution of scripts from this directory
  • use git, with its help it is possible to understand "what has changed"
  • do not use dubious CMS assemblies and update their versions regularly
  • if you are a developer, be sure to read about XSS and SQL Injection

If you decide to go even further, then:

Scroll to Top