When you purchase a VPS or Dedicated Server, you need to protect it. Bots trawl the Internet looking for any possible vulnerability, and an open VPS or Dedicated Server is a potential goldmine.
But, thankfully, locking down your server is fairly easy – whether it’s on Linux or Windows. Just follow these few tips, and you’ll have a server that’s well on its way to being safe.
Change the login port
For Linux machines, the default SSH port is 22. And since it is a default, it’s vulnerable to brute force attacks. But you can easily switch over your port, making it much more difficult for others to log in.
You can change it to any number you want, but you should check that it isn’t a port used by another program. You can see the full list of TCP and UDP ports on Wikipedia.
To switch your port:
- SSH into your server with your root login
- Open
/etc/ssh/sshd_config
in the text editor of your choice - Find the line
# Port 22
- Remove the
#
next toPort 22
- Replace
22
with another number - Save and exit the config file
- Restart the SSH service by entering
/etc/init.d/ssh restart
- Log in again using the new port
On Windows, you can change the RDP port, making it more difficult for other people to Remote Desktop into your computer.
To switch your port:
- Remote Desktop into your server
- Click the Windows logo and R to open the Run dialog
- Enter in
cmd
- Enter in
regedit
- Look for
HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminalServerWinStationsRDP-TcpPortNumber
- Double-click or right-click on the
PortNumber
registry subkey - Select the decimal base
- Enter in the port number of your choice
- Click OK
You will need to make certain that your new port is authorised within your Windows firewall before you restart your server.
- Go to the command prompt
- Enter in
netsh advfirewall firewall add rule name="Open new RDP Port" dir=in action=allow protocol=TCP localport=[New Port]
Once it has been added, you can exit the registry editor and restart your server. Make certain that you add the new port to your RDP client when you log in.
Create a new root or administrative login
When you first set up your server, you’ll have either your root login (if you’re on Linux) or an Administrator login (if you’re on Windows). These have all the power, but because they’re also the default, they’re low-hanging fruit for hackers.
But you can give another user all the power.
To set up your new user and disable your root user in Linux:
- SSH into your server with your root login
- Enter
useradd [username] wheel
(creating a new user account) - Enter
Passwd [username]
(using the same user) - Enter in the new password
- Open
/etc/sudoers
in the text editor of your choice - Find the line
# %wheel ALL=(ALL) ALL
- Remove the
#
next to%wheel
- Save and exit
- Open
/etc/ssh/sshd_config
in the text editor of your choice - At the bottom, add
AllowUsers [username]
- Save and exit the config file
- Log out and log back in using your new user account
- Open
/etc/ssh/sshd_config
in the text editor of your choice again - Find the line
# PermitRootLogin yes
- Remove the
#
next toPermitRootLogin
- Change
yes
tono
- Save and exit the config file
- Restart the SSH service by entering
/etc/init.d/ssh restart
- Log in again using your new user account
To set up your new user and disable your Administrator user in Windows:
- Log into your server with your Administrator login
- Click Start
- Click Computer Management
- Click Local Users and Computers
- Click the Users folder
- Right Click and select New User
- Enter the new User’s name and password
- Untick User must change password at next logon
- Click Create
- Disable the current administrator account by double clicking on the Administrator user and ticking Account is disabled
- Click the Groups folder
- Right Click Administrators and Select Add To Group
- Add the new user you have just created
- Log out and log back in using your new user account
Block suspicious IP addresses
Once you’ve changed the port and root account, you can protect your server even more by setting up protection against unauthorised access.
On Linux systems, fail2ban is a good piece of security software that can help you.
To set up fail2ban:
- Log into your server
- Use
apt-get
oryum
to install fail2ban - Create local version of the fail2ban configuration file by entering
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Open
/etc/fail2ban/jail.local
in the text editor of your choice - Define how long you want suspicious IP addresses to be blocked under
bantime
. The value is specified in seconds, so, for example, a 10 minute ban would be 600 - Define how many incorrect login attempts can happen before the IP address is blocked under
maxretry
- Under SSH, find the
port = ssh
field and switch it to the new port number you specified above - Restart fail2ban by entering
/etc/init.d/fail2ban restart
You can then review the log of blocked IP addresses by going to var/log/fail2ban
On your Windows server, you can add the IIS module Dynamic IP Restrictions, which helps protect your server against DDOS attacks as well as brute force attacks. With Dynamic IP Restrictions, you can define how many requests can be made from an IP address, both in a set amount of time and at the same time.
You can install Dynamic IP Restrictions by downloading it from Microsoft’s IIS download page, or use the Web Platform Installer on your server.
To configure Dynamic IP Restrictions:
- Log into your server
- Open your IIS Manager
- Select the server node if you want to configure server-wide settings, or select a site node to configure site-specific settings
- Click Dynamic IP Restrictions
- You can deny IP addresses by the maximum number of concurrent requests and also by the number of requests over a period of time
- You can also add allowed IP addresses by clicking Show Allowed Addresses under the Actions column
With these three simple processes, you can make sure your server is protected. What other tips do you have for protecting your server?
Comments
Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!