How to protect your cloud server (Ubuntu and CentOS)? |
How to protect your cloud server (Ubuntu and CentOS)? You can spend time on firewall security, cloud security, etc., but leaving the OS unprotected can be dangerous. The network is moving to the cloud from shared hosting, which provides many advantages. Faster response time because resources are not being used by other users You get more control over hosting your site on a cloud virtual machine, but some system administrator skills are required to manage your virtual machine. Let's move on to the practical Ubuntu and CentOS VM security guide. 1. Changing the standard SSH port They may not be able to access your server if you are protected by a complex password. However, they can launch brute force attacks to disrupt the server. It's best to change the SSH port to something else, so even if someone knows the IP address, they won't be able to try to connect using the default SSH port. Changing the SSH port on Ubuntu/CentOS is very simple. Log in to your virtual machine with superuser rights (sudo)
Look for a line that has the value Port 22 (usually at the beginning of the file)
Replace 22 with another number (remember, as you will need it to connect). Let's say 5,000
Save the file and restart SSH.
Now you or anyone else will not be able to connect to your server via the default SSH port (22). Instead, you can use the new port to connect. If you are using an SSH client or Terminal on a MAC, you can use -p to determine the user port.
2. Protection against brute-force attacks This can be dangerous if not taken seriously. There are two popular programs that you can use to protect Linux from Brute-force. SSH Guard It was originally intended to protect SSH login, but now it supports many others. Pure FTP, PRO FTP, VS FTP, FreeBSD FTP Ubuntu:
CentOS:
fail2ban Installing fail2ban: Ubuntu:
CentOS:
SSHGuard and Fail2Ban should be enough to protect SSH login. However, if you need to learn more, you can refer to the following services. CSF (ConfigServer Security & Firewall) However, if you have multiple users and you often log in from multiple public computers, key exchange can be problematic every time. Therefore, depending on the situation, if you decide to disable password-based authentication, you can do so as follows. Note: It is assumed that you have already configured SSH key exchange. Edit the /etc/ssh/sshd_config file using the vi editor (the editor is at your discretion)
Restart SSHD Searching for the source IP address is possible, and as a best practice, you should not disclose the IP address of your server to the public Internet. There are several ways to hide the Source IP to prevent DDoS on your server. Use a load balancer (LB) Use When implementing a CDN, you configure a DNS record with an arbitrary IP address provided by the CDN provider. By doing this, you advertise the IP address of the CDN provider for your domain, but the source is not disclosed. There are many CDN providers to speed up the site, protect against DDoS, WAF and many other functions. Cloudflare Configure the iptables settings Use a firewall There are many of them, but one of the most popular is UFW (Uncomplicated Firewall) for Ubuntu and FirewallD for CentOS. 5. Regular backups Things may not go this way, but what if you don't have the necessary backup to restore? Most cloud or VPS providers offer backups for a small additional fee, and this should always be remembered. Ask your VPS provider how to enable the backup service. If you use Google Compute Engine or AWS, schedule a daily snapshot. A backup will allow you to quickly restore the entire virtual machine, and you will be back in business again. 6. Regular updates In Ubuntu, you can run apt-get update to make sure that the latest packages are installed. In CentOS, you can use yum update 7. Do not leave ports open Keeping unwanted ports open is desirable for an attacker. If you are just hosting your site on your virtual machine, then most likely you need port 80 (HTTP) or 443 (HTTPS). If you are using AWS, you can create a security group to allow only the necessary ports and associate them with the VM. If you are using Google Cloud, allow the necessary ports using "Firewall rules". Conclusion Go back |
4-03-2024, 04:20 |