The VPS info I have is listed in VPS Setup Record - Basics, and I have talked about how to install LAMP at VPS Setup Record - LAMP. This is a follow-up post that targets at making our VPS more secure. Remember, to use
vim to edit files, you need to press
i to start inserting. When you finish, type on your keyboard
:wq to save and exit.
Using Strong Password
The first thing is to make the password stronger and harder to be hacked. A good password should include at least one capital letter, one number, and one symbol. It should be of length > 8, and it should NOT contain any commonly used password like what has been listed here.
Use a password manager if you are afraid of forgetting the passwords. Get a trustable password manager as listed here.
Strengthen Our SSH
SSH can be vulnerable if you don't set it up correctly.
sudo vim /etc/ssh/sshd_config
Find and make changes/uncomment with the following lines (referred from here):
PermitRootLogin no # disable remote login as root PermitEmptyPassword no # never allow empty password to login PasswordAuthentication no # disable the password authentication (optional, do so only if you can login with your private key) ChallengeResponseAuthentication no # disable challenge-response authentication in case of PAM for OpenSSH UsePAM no X11Forwarding no # disable GUI Banner /etc/issue
You can also limit the users who can SSH.
AllowUsers xxx # username
If you have multiple users and want to setup different permissions for each one of them, you can append in the end of
sshd_config file the following, for example:
Match User xxx # username X11Forwarding yes
After saving the file, do the following to restart the SSH service.
sudo service sshd restart
Remove Insecure Packages
sudo yum remove telnet rsh ftp rcp
Delete Unnecessary Users and Groups
This is optional. In my opinion, it's always safe to have less "accounts" that can log into or take over my VPS host. Execute the following code to check what users and groups you have.
sudo -i cat /etc/passwd # check what are the users cat /etc/group
Then make a copy of the current version:
cp /etc/passwd /etc/passwd_bak cp /etc/group /etc/group_bak
Remove the users and groups that are unnecessary
for a in adm lp sync news uucp operator games gopher mailnull nscd; do /usr/sbin/userdel $a -f; done for a in lp news uucp games gopher users floopy nscd nfsnobody; do /usr/sbin/groupdel $a -f; done