When making your Linux server more secure, you are going to want to look at four areas of the server:
- The SSH configuration
- IPTables Configuration (Software Firewall)
- The logs
SSH - You will find that the most common way Codero.com servers are attacked, is by people using "Brute Force" attacks against SSH. You can see this happening by looking at the messages log located at /var/log/messages.
Logs - The next part of this guide concerns logs.
If your server is running Plesk Control Panel, please refer to the following link for information on using Plesk to add the firewall rule:
Otherwise, you'll need to log into your server using SSH and edit IPTables. Once logged into the server, issue the following command to edit IPTables:
The line with the red box around it, is the only change/addition to the file. Please take care to not change any other values while in this file.
[root@hostname]#service iptables restart
[root@hostname]#service sshd restart
Now SSH is listening on port 722
- Logs are extremely useful in Linux, the main thing that you are going to look at is the last and secure logs. All of these logs are kept in the /var/log/ directory on the server. To access last log into your server using SSH and issue the following command:
- The secure log can be looked at by typing the following command:
[root@hostname]#tail /var/log/secure 100
This will give you the last 100 lines of the secure log. The secure log gives information like last log in/out, but also logs failed SSH and FTP attempts. You can find some one trying to exploit these two services easily by looking in the secure log.
- Next, you should take a look at the dmesg log. You can access the dmesg log by issuing the following command:
The dmesg log gives information about hardware, you should use this log if you think your hardware is failing.
- Finally, the messages
log is a great reasource. This log contains much of the information
covered in previous logs, but it gives a good snapshot of whats going
on the server. To view the messages log, issue the following command:
[root@hostname]#tail /var/log/messages 100
You will get an output that looks like the following picture:
Here you can find information like who logged into the server, what ftp users connected to the server, who logged on, when the server crashed or rebooted.
Applications - Keeping Applications secure is the last topic we will touch on in this article. Severs are only secure as the mail accounts and Messages board that they host. If you have an open relay or bulletin board software that is out of date update it. These are surely targets for injection attacks against MySQL and PHP. keep these up to date on your server. Remember a determined hacker can break into any system but just putting a little effort in you can make breaking into your system a waste of time and they will move on to easier prey.Posted in