Managing a Virtual Private Server (VPS) comes with the privilege of flexibility and control. However, with great power comes great responsibility, especially when it concerns the security of your server. As cyber threats become increasingly sophisticated, securing your VPS has never been more crucial.
For CentOS/RHEL/Rocky Linux users, let’s delve into some of the essential tools and practices that can fortify your server’s defenses, ranging from firewalls with iptables to CIS benchmark hardening.
1. Setting Up Firewalls with iptables
At the heart of your server’s defense mechanism is a firewall, serving as a barrier against unauthorized access. iptables is a classic utility for setting up Linux firewalls.
- Install iptables:
yum install iptables-services
- Basic Commands:
- List current rules:
- Allow SSH traffic:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- Block a specific IP:
iptables -A INPUT -s [IP-ADDRESS] -j DROP
- Save and Restart:
After setting your rules, save them and restart the iptables service:
service iptables save service iptables restart
2. Thwarting Brute Force Attacks with Fail2Ban
Fail2Ban monitors server logs for malicious activity patterns. Upon detecting repetitive failed login attempts or other suspicious behaviors, it bans the IP addresses involved, offering protection against brute force attacks.
yum install epel-release yum install fail2ban
Duplicate the default configuration:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
/etc/fail2ban/jail.local file according to your needs. For instance, to safeguard SSH:
[sshd] enabled = true
- Activate the Service:
systemctl start fail2ban systemctl enable fail2ban
3. CIS Benchmark Hardening
The Center for Internet Security (CIS) provides a set of standards known as CIS Benchmarks to secure systems. These benchmarks offer guidance for system hardening, reducing potential vulnerabilities.
- Install the CIS Benchmark tool: There are tools like
cis-catthat allow you to assess your server against CIS benchmarks.
- Regular Audits: Regularly run these tools to evaluate your system’s security posture. Any deviations from the benchmarks should be addressed promptly.
- Manual Hardening: The CIS document for CentOS provides specific guidance, such as ensuring permissions on system files are set correctly, disabling unnecessary services, and more. Adhere to these recommendations for robust security.
4. SSH Key-Based Authentication
Using SSH keys instead of traditional passwords provides a more secure way of logging in, as it mitigates the risks associated with brute force attacks.
- Generate an SSH Key Pair: On your local machine:
- Transfer the Public Key to the Server:
- Disable Password-based Logins: Modify the SSH configuration:
Locate the line
#PasswordAuthentication yes and amend it to:
Then, restart the SSH service:
systemctl restart sshd
Important: Always confirm that your SSH key login works flawlessly before deactivating password authentication to avoid locking yourself out.
The digital realm is fraught with potential threats, but with diligence and the right tools, you can shield your CentOS/RHEL/Rocky Linux VPS from the majority of them. By setting up a strong firewall, using Fail2Ban, adhering to CIS benchmarks, and embracing SSH key-based logins, you can fortify your server’s defenses. Remember, security is an ongoing journey; staying updated and vigilant is key.