The server or VPS that we use to host our website is connected to the Internet, anyone can access it. To protect from access by unscrupulous hands, we need to secure the server or VPS. We will install firewall, SSH key pair authentication and an automatic blocking system called fail2ban. It is hoped that with the steps below, our server or VPS can be protected from attacks by irresponsible parties.
Non Root Login
root is a very powerful user on a Linux machine. But problems arise when logged in as
root is we can execute all commands, both standard commands and commands that can destroy our server! Therefore, it's better if we don't log into the server or use a VPS
root, namely by creating another user and using it when we are working on a server or VPS. Although logged in with the user non-root, we can still execute commands
root by using
Here's how to create a new user non root:
- Login as usual using root to the server or VPS.
- Install the sudo program first if it doesn't exist with the following command:
apt-get install sudo
- Create a new user with the following command. Replace user_ new with the username we want:
adduser new user
- Add new user to the system administrators (admin) group using the following command. Replace new user with the user we created earlier:
usermod -a -G sudo user_baru
- Then we exit root so we can log in with the user we just created, with the command:
- Now we try to log in again to our server or VPS with a new user.
Now you can manage the server using the username you just created, without having to be
root. If you want to execute the superuser command (as
root), you can add
sudo in front of the command. For example if you want to update the server, use the command
sudo apt-get update. Almost all superuser commands can be executed using
sudo, and all commands executed with
sudo will be recorded
Non Enable Root Login & Change SSH Port
Because we have created a new user to SSH login with capabilities
sudo, it's good that we deactivate it root login & replace default port SSH. This is to increase security and minimize attacks.
- The first step is to update the SSH configuration file using the following command:
sudo nano / etc / ssh / sshd_config
noas shown below:
- Change the SSH port from 22 to another port, for example 3342. Look for port configuration 22 and replace it with the port according to your wishes.
- Save the configuration that we have changed by pressing the keyboard button Ctrl-X, and then Y.
- Restart SSH using the following command:
sudo service ssh restart
After restarting SSH, the new configuration will be used by SSH.
Creating a Firewall
Next we will create firewall to limit or block traffic inbound the unwanted. Configuration firewall The following is a simple example, which only opens port 80 (http), 443 (https) and 3342 (the SSH port that we previously changed from the default port 22). You can freely change the configuration according to server needs.
- First, check the current firewall configuration using the command:
sudo iptables -L
- Look at the output. If you have never previously edited a firewall, you will see an empty ruleset, as shown below:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
- Create a file to store our firewall configuration, with the command:
sudo nano /etc/iptables.firewall.rules
- Now let's enter some firewall rules to the file
iptables.firewall.rulesthat you made above.
- Save the above configuration by pressing Ctrl-X, and then Y.
- Activate firewallby running the following command:
sudo iptables-restore </etc/iptables.firewall.rules
- Double check configuration firewallus with the command:
sudo iptables -L
- Check the output. The new ruleset will look like this:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all - anywhere anywhere REJECT all - anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all - anywhere anywhere state RELATED, ESTABLISHED ACCEPT tcp - anywhere anywhere tcp dpt: www ACCEPT tcp - anywhere anywhere tcp dpt: https ACCEPT tcp - anywhere anywhere state NEW tcp dpt: ssh ACCEPT icmp - anywhere anywhere icmp echo-request LOG all - anywhere anywhere limit: avg 5 / min burst 5 LOG level debug prefix `iptables denied: 'REJECT all - anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all - anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (ACCEPT policy ) target prot opt source destination ACCEPT all - anywhere anywhere
- To confirm configuration firewall we run when the server is restarted, we must create a new script with the command:
sudo nano /etc/network/if-pre-up.d/firewall
- Copy and enter the following lines:
#! / Bin / sh / sbin / iptables-restore </etc/iptables.firewall.rules
- Press Ctrl-X and then Y to save the script.
- Chmod our script with the command:
sudo chmod + x /etc/network/if-pre-up.d/firewall
Firewall already installed, and will protect our server. Remember, you have to change the above configuration if you install new software. For example if you have installed a DNS service, then you will have to open port 53.
Fail2Ban is an application that will detect repeated login attempts to our server, Fail2Ban will create firewall rule temporarily to block the IP address of our server attacker. Fail2Ban can monitor various protocols, such as SSH, HTTP and SMTP. But by default, Fail2Ban only monitors SSH.
Here's how to install Fail2Ban:
- Install Fail2Ban by using the command:
sudo apt-get install fail2ban
- By default Fail2Ban will protect SSH once installed, no other steps needed. But if you change the default configuration of Fail2Ban, you can create an
jail.localnew. With the following command:
sudo nano /etc/fail2ban/jail.local
- Variable set
bantimeto set how long the block is applied (in seconds).
- Variable set
maxretryto set a limit on the number of login attempts that can be performed before an IP address is blocked.
- Press Ctrl-X and then Y to save the configuration.
Fail2Ban will now monitor our SSH server. If someone tries to log into our server, until several attempts fail to log in, Fail2Ban will block the attacker's IP address and will record it on
Install (D) DoS Deflate
The installation process is very easy, here are the steps:
- Download the (D) DoS Deflate script with the following command:
- Then chmod the installation script with the command:
chmod 0700 install.sh
- Run the installation script
- To exit the readme display, type the command
Done! Your server is protected from Denial of Service attacks by using (D) Dos Deflate!