Server Security

I have 20+ servers, and I need to make sure they are safe, so here are the few steps I took to harden the security:

Change SSH Port number

you can configure Port XXX in /etc/ssh/sshd_config and remember to restart the ssd service to take effect:

1

service sshd restart

service sshd restart

Disable root SSH login

you can configure PermitRootLogin no in /etc/ssh/sshd_config and remember to restart the ssd service via:

1

service sshd restart

service sshd restart

Enable ufw firewall

Then, you can allow certain ports to go through via e.g:

1

sudo ufw allow 80/tcp

sudo ufw allow 80/tcp

or disable ports via:

1

sudo ufw disallow 22/tcp

sudo ufw disallow 22/tcp

Disable MySQL root login remotely

Also, use a username that is not root. You can do it via /etc/mysql/my.cnf

Grant correct permissions to users. See this post for more details.

Pick a strong password

My login-user password is around 30 characters – so they are not easy to be cracked via bruteforce algorithms.

Use SSH key to login

Put the public key in ~/.ssh/authorized_keys and use the SSH key to login instead. You need to generate the SSH key pairs first via:

1

ssh-keygen -t rsa

ssh-keygen -t rsa

Protect special folders via .htaccess and .htpasswd

For example, if you have wordpress, you would need to protect /wp-admin. If you install phpadmin, you would certainly protect it via .htaccess/.htpasswd. You can also have a allow/disallow IP list here.

Disable user SSH login via password

You can disable SSH login via username/password by PasswordAuthentication no in /etc/ssh/sshd_config but make sure you have the SSH keys correctly set – otherwise you will be locked out of your server.