I have 20+ servers, and I need to make sure they are safe, so here are the few steps I took to harden the security:
Change SSH Port number
you can configure Port XXX in /etc/ssh/sshd_config and remember to restart the ssd service to take effect:
1 | service sshd restart |
service sshd restart
Disable root SSH login
you can configure PermitRootLogin no in /etc/ssh/sshd_config and remember to restart the ssd service via:
1 | service sshd restart |
service sshd restart
Enable ufw firewall
Then, you can allow certain ports to go through via e.g:
1 | sudo ufw allow 80/tcp |
sudo ufw allow 80/tcp
or disable ports via:
1 | sudo ufw disallow 22/tcp |
sudo ufw disallow 22/tcp
Disable MySQL root login remotely
Also, use a username that is not root. You can do it via /etc/mysql/my.cnf
Grant correct permissions to users. See this post for more details.
Pick a strong password
My login-user password is around 30 characters – so they are not easy to be cracked via bruteforce algorithms.
Use SSH key to login
Put the public key in ~/.ssh/authorized_keys and use the SSH key to login instead. You need to generate the SSH key pairs first via:
1 | ssh-keygen -t rsa |
ssh-keygen -t rsa
Protect special folders via .htaccess and .htpasswd
For example, if you have wordpress, you would need to protect /wp-admin. If you install phpadmin, you would certainly protect it via .htaccess/.htpasswd. You can also have a allow/disallow IP list here.
Disable user SSH login via password
You can disable SSH login via username/password by PasswordAuthentication no in /etc/ssh/sshd_config but make sure you have the SSH keys correctly set – otherwise you will be locked out of your server.
AMP Version This post has 399 words.