How to protect your Linux VPS

Source: Internet
Author: User
Tags vps least privilege

This article translates from Digitalocean's Introduction to securing your Linux VPS, which is recommended to read the original. Previously posted in the OSC translation area, has been audited, had to publish to the blog this


Taking advantage of the power and flexibility of this great platform to take control of your own Linux servers is a good opportunity to learn new things. However, the Linux server administrator must take the same precautions against any networked machine to ensure its security.
There are a variety of topics categorized in "Linux security", as to how the appropriate level of security looks like a Linux server with many different views.
You have to decide for yourself what kind of safeguards are necessary. You need to know the risks before you do it, and make a reasonable decision about the tradeoffs between practicality and security.
This article is intended to provide some of the most common security measures in a Linux server environment for your reference. This is not an exhaustive list, nor does it include the recommended configuration, but it provides links to more comprehensive resources and discusses why each component is an important part of the system.

Using firewalls to block connections

One of the simplest measures that is recommended for all users is to configure and enable the firewall. Firewalls play the role of network traffic and the barrier between your machines. They manage the in and out of traffic on the server and decide whether to allow it to pass information.
The firewall does this by examining the traffic associated with a set of rules configured by the user. Typically, a server only opens a specific number of ports for legitimate services. The remaining ports are all shut down and need to be protected by a firewall, which denies all traffic destined for those ports.
This allows you to delete data you do not expect and even conditionally use real services in some cases. Reasonable firewall rules can provide robust basic network security.
There are a number of available firewall solutions. Here we'll just talk about some of them.


UFW is the short name of a simple firewall (uncomplicated firewall). Its goal is to provide good protection without the complicated syntax of other firewalls.
UFW, like most Linux firewalls, is the front-end control of the NetFilter firewall, which is contained in the Linux kernel. This is a simple choice for people who are not familiar with the Linux firewall, which is usually a good choice.


Perhaps the most famous Linux firewall solution is iptables. Iptables is another component of the NetFilter firewall that is used to manage the Linux kernel. It has been around for a long time and has undergone a rigorous security audit to ensure its security. There is a version of iptables called ip6tables , which is used to create constraints on IPV6.
You may encounter the Iptables configuration when you administer a Linux server. Getting started with grammar can be a bit difficult, but it's an incredibly powerful tool that can be configured with a very flexible set of rules.


As mentioned above, it is iptables used to manipulate the table of rules containing IPv4. If you start IPv6 on a server, you need to focus on IPV6, which is ip6tables.
The NetFilter firewall included in the Linux kernel makes the IPv4 and IPV6 traffic completely separate. They are saved in a different table. The rule that determines the final fate of a packet is determined by the version of the protocol that is being used.
This management of the server means that when IPV6 is enabled, a rule set must be maintained. The ip6tables command iptables shares the same syntax as the share, so it is usually a direct forward when executing the same set of constraints as in the IPv6 table. But you have to make sure that traffic is directed to the IPv6 address, which works correctly


Although Iptables has been a firewall standard in Linux, a new firewall named Nftables has recently been added to the Linux kernel. This and iptables and the same team, Nftables aims to eventually replace Iptables.
The Nftables firewall attempts to implement a more readable syntax than its predecessor iptables, and implements support for IPV4 and IPV6 in the same tool. While most Linux kernels are not new enough to implement Nftables, it will soon be very common and you should try to familiarize yourself with its use.

Secure remote login using SSH

When you manage a server that is not on-premises, you need to log in remotely. SSH means secure shell, which allows the Linux system to complete remote logins safely. SSH provides end-to-end encryption to securely connect unsafe traffic
X-forwarding (graphical interface for network connections), and so on. Basically, if you can't access local or out-of-band management, SSH is the primary way you interact with the server.
Although the protocol itself is very secure and has done a lot of research and code checking, your configuration choices can help or hinder the security of the service. We will discuss the following:

Password vs Ssh-key Login

SSH has a very flexible authentication method that allows you to log in using different methods. The two most common methods are password authentication and Ssh-key authentication.
Password Authentication may be the way most users use natural selection, with less security than Ssh-key certification. Password login allows potential intruders to constantly guess the password until the password is found. This is called brute force and intruders can easily automate with modern tools.
On the other hand, Ssh-key is operated by generating a security key pair. A public key is created as a test type to identify an object. It can be shared openly without problems. But it cannot be used for anything other than identifying the user, and it allows the user to log on after matching the private key. The private key should be kept secret and tested through its associated public key.
Basically you can add SSH key to the server and SSH key will allow you to log in using the matching private key. These keys are very complex and it is impractical to use brute force to crack them. In addition, you can choose to add a long password to increase security for your key.
Click here to learn more about how to use SSH, click this link to learn how to create an SSH key on the server.

Implement Fail2ban Black-out malicious IP address

Implementing a fail2ban-like solution generally improves the security of the SSH configuration. Fail2ban is a service that monitors log files to determine whether a remote system is a legitimate user. If it is not a legitimate user, the traffic for the associated IP address is temporarily blocked.
Setting a reasonable Fail2ban policy allows you to flag those computers that are constantly trying to log on but fail, and then add firewall rules that block their traffic for a period of time. This is a simple way to stop brute force cracking, because they have to stop and take a break after being banned.
Here you can learn how to implement the Fail2ban strategy on Ubuntu. Here's a similar guide to Debian and CentOS.

Implement intrusion detection system to detect illegal intrusion

An important consideration to keep in mind is the development of a strategy for detecting illegal use of tests. You may have preventive measures in place, but you also need to know if they fail.
Intrusion detection systems, also known as IDs, record configuration and file details when they are in good condition. The status of these records is then compared to find out if the files and settings have been modified.
There are many intrusion detection systems, which we will look at below:


Tripwire is one of the most well-known IDs implementations. Tripwire has compiled a database of system files and protected its configuration files and binaries with a set of keys. After the configuration of selections and exceptions is defined in detail, tripwire notifies them of any changes that occur to the files they monitor.
Tripwire's strategy model is very flexible and allows you to shape its properties for your environment. You can configure Tripwire to run through cron jobs, and even to implement exception event email notifications.
Here you will learn more about how to implement Tripwire


Another IDs selection is aide, similar to tripwire, aide by building a database and comparing the current system state and the known good state stored in the database. When a discrepancy occurs, it notifies the administrator of the problem.
Similar solutions are provided for the same problems aide and tripwire. Take a look at the documentation both solutions try it out and find out what you prefer.
Click here to see instructions on how to use aide.


Compared with the above two tools, the Psad tool focuses on the different parts of the system. Psad is concerned with firewall logs to detect malicious activity, rather than detecting system files.
For example, if a user attempts to probe a vulnerability with port scanning, PSAD can detect this activity and dynamically change the firewall rules and lock the user. This tool can register different threat levels and respond to the severity of the problem. Psad can also notify administrators via email.

Learn more about how to use Psad


Another network-based IDs is bro. In fact, bro is a network detection framework that can be used as a network IDs and can be used for other purposes, such as collecting usage, investigating problems, or detecting patterns.
The bro system is divided into two layers. The first layer monitors the activity and generates the events it considers. The second layer runs the generated events through a policy framework that determines what should be done. If there is any traffic-related, it generates an alert and executes system commands, logs the event, or takes other actions.
Click here to figure out how to use bro


Rkhunter, in order to detect rootkits and known malware, performs a similar principle to the host-based intrusion detection system, rather than a technical intrusion system.
Although viruses are rare in the Linux world, the surrounding malware and rootkits can compromise the system or allow successful intruders to continue to do whatever they wanted. Rkhunter downloads A list of known vulnerabilities and then checks the system. If unsafe settings are detected on common applications, Rkhunter will also alert you.
Check out this article to learn more about using Rkhunter on Ubuntu.

General Security recommendations

While these tools and configurations can help you protect a part of your system, good security isn't just about implementing tools, so forget about it. Good security is reflected in a certain set of thinking, is a due diligence, review and participate in the security process.
Here are some general rules that can help you keep your system safe in the right direction.

Be aware of updates and regular updates

Almost all types of software installed on the system are likely to uncover software vulnerabilities at any time. Usually the release maintainers have to keep up with the latest security patches and push these updates to their warehouses.
However, if you do not download or install these updates, the security updates available in the repository are not good for your server. While many servers benefit from stable versions of software, security updates should not be deferred, but should be considered important updates.
Most distributions provide a secure mailing list and stand-alone security repositories that can only download and install patches.

Be careful when downloading software through unofficial channels

Most users will insist on downloading available software from the distribution's official repository, and most distributions provide signed packages. In general, users can trust the maintainers of the distribution and focus on the software security of unofficial channels.
You may choose to trust the software from the distribution or the website, but be aware that unless you review each software yourself, it will involve risk. Most users find this to be an acceptable level of risk.
On the other hand, getting software from random warehouses and PPA, and maintaining their people you can't identify, is also a huge security risk. This does not have a set of rules to refer to, and most unofficial software sources are completely secure. But as long as you trust the other side, you're going through the risk.

Understand your services and constrain them

While running a server primarily provides access to services, you still need to limit the services you use or need to run on them. It is possible to consider the services of each function as a threat, so you need to eliminate as many threat vectors as possible without compromising the core functionality.
If you are running a headless (no monitor connected) server and do not run any graphics (non-web) programs, this means that you should disable and uninstall the X display service. Similar measures could be taken in other areas. No printer? Then the "IP" service is banned. Don't need a Windows network share? Then the "Samba" service is banned.
You can find ways to run on your computer in a variety of ways. This article in the "Create a list of requirements" section covers how to detect services that have been started

Do not use FTP with SFTP instead

This can be difficult for many users, but FTP is an inherently insecure protocol. All authentication methods are sent in plain text, which means that anyone who monitors the connection between the server and your local computer can see the details of the login.
Only in a very small number of cases, FTP may be a better measure. If you are running anonymous, public, read-only download mirror stations, FTP is a good choice. Another scenario is that you trust your network to be secure, but simply to transfer files between two computers that have a NAT firewall turned on, and FTP is a good choice.
In almost all other cases, you should use a more secure alternative. There is an alternative protocol called SFTP in the SSH suite, which, on the surface, operates similarly, but SFTP is based on the same security as the SSH protocol.
This allows you to transmit information in the same way as you would with traditional FTP, but there is no risk. Most now FTP clients can also communicate with SFTP.
To learn more about how to use SFTP to securely transfer files, check out this guide.

Implement a reasonable user security policy

Here are some steps you can take to protect your system better when managing users.
One of the recommendations is to disable root login. Because the root user exists in any posix-like system and is an all-powerful user. This tends to be a target for many attackers. In general, it is a good idea to disable root login after sudo access is configured. Or you use the SU command. Many people disagree with this suggestion and you need to check to see if it suits you.
It is possible to disable remote root logins in the SSH service, or disable local logins. You can limit the/etc/securetty file. You can also set the root shell for Non-shell to disallow root shell access, and set the Pam rule to restrict root login. Redhat has a good article on how to disable root login.
Another good strategy is to create unique accounts for each user and service and give them the least privilege to do their work. Lock them out of all the things they don't need to access and deprive them of all their privileges.
This is a very important strategy because when a user or service is compromised, this does not lead to a domino effect, which means that the intruder will gain access to the compromised user or service or even the system. Divided systems can help you isolate problems, like when the hull is out of the hole. Bulkheads and watertight door systems can prevent ships from sinking.
Similar to the service policy we discussed above, you should be careful to disable user accounts that are no longer needed. This can happen when you uninstall the software or the user no longer accesses the system.

Note Permission settings

File permissions are a huge source of frustration for many users. Finding the balance between permissions, allowing you to do what you want to do without hurting, is a difficult task that requires careful attention and reflection in every scene.
Setting up a healthy umask policy (a property that defines the default permissions for new files and directories) can be helpful when creating default values. In this you can learn about how permissions work and how to adjust umask values.
Often, you need to think twice before setting something up for world-writeable, especially if it is able to access the Internet in some way. This can have extreme consequences. In addition, you should not set permissions for Sgid or suid bits unless you know exactly what you are doing. Also, check the file's owner and group.
The file permission settings vary greatly depending on the usage. But you should always try to see. It is possible that there is a way to give smaller permissions. This is the simplest way to get the error, and there are a lot of bad suggestions on the Internet that are circulating.

How to protect the specific software you use

Although this guide does not contain the security details of each type of service or application, there are many tutorials and guides available on the web. You should read the security recommendations for each project and implement them on your system.
In addition, the popular server software, such as Web servers or database management systems, has an entire Web site and a dedicated security database. In general, you should read carefully and ensure each service before you go online.
You can check our Security section for more specific recommendations on the software you are using.


You should now have a good understanding of common security practices that can be implemented on Linux servers. Although we have worked very hard to improve attention in many areas, at the end of the day, you have to make your own decisions. When you manage a server, you have to be responsible for the security of the server.
This is not something you can quickly configure and complete in the first step. This is a process that constantly practices auditing systems, implementing solutions, evaluating logs and Alerts, re-evaluating requirements, and so on. To protect the system, you need to be vigilant and evaluate and detect the results of your implemented solutions at any time.

by Justin Ellingwood

How to protect your Linux VPS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.