Hardening a Server

If there is one thing that I’ve learned over the past 6 years working with web servers, it’s that they are vulnerable by default. This is because a secure system can be pretty inconvenient to work with. I’ll give you a few examples of this now.

Changing the SSH Port

By default, SSH runs on port 22. This makes connecting to your server using SSH simple by running:

ssh user@example.com

This is simple, but allows automated bots to attempt to brute force your SSH user’s password all day. These automated bots are programmed to use port 22 when connecting to a server so changing your SSH port will mitigate this risk. We can change our SSH port by connecting to the server and updating the sshd_config file:

sudo vim /etc/ssh/sshd_config

Towards the top of that file, you’ll find #Port 22. Go into Insert mode by hitting the I key. Delete the # character and change 22 to the new port number that you will be using for SSH. You can then join the many people who are currently stuck in Vim who are also trying to save and exit the file. I’ll give you hint, first hit the esc key, then :wq! to save and exit the file. Once the file is saved, restart SSH running the following:

service sshd restart

You can now connect to your server using the new port with:

ssh user@example.com -p ####

Slightly inconvenient, you now have to specify a port when connecting via SSH. The automated bots using port 22, however, will not be gaining access to your server via SSH.

Disabling FTP

File Transfer Protocol (FTP) is a method that many people use to connect to their server using an application like FileZilla. What many of these people don’t know is that FTP is extremely insecure due to the protocol not encrypting traffic. Rather than using FTP, which will allow somebody to sniff the traffic and view our files, you’ll want to disable FTP. This will ensure that users are forced to connect using Secure FTP (SFTP). We can block FTP using iptables:

   iptables -A INPUT -p tcp --destination-port 21 -j DROP

Now we can connect with SFTP using port 22 (or the previous port that we changed to in our ssh_config file above. If you have Telnet running on your server you’ll want to deny all connections on port 23 as well as 21. Again, slightly inconvenient, but this will prevent an insecure connection on your server.

Block Ping Requests

Ping is a useful tool that allows us to find hosts on a network. While this tool can make our life easy by allowing us to easily troubleshoot our network, it also leaves our server open to vulnerabilities like a Ping Flood or ICMP Flood Attack.

During a Ping Flood Attack, attackers are able to overwhelm the victim’s computer by sending their computer a flood of ICMP requests or Pings. This attack can exhaust both incoming and outgoing channels of a network, resulting in a Denial of Service (DoS).

Now that we know how a Ping Flood Attack could hurt us, you may want to disable Ping from other users on your server to prevent an attacker from flooding your server with these requests. We can create a firewall rule that only allows our computer to send Ping requests to our server with:

Allow incoming from x.x.x.x
Deny incoming from all others

Assuming x.x.x.x is the IP address of your computer, you should still be able to Ping your server despite Ping being blocked from everybody else.

… And More!

There are ways to further secure your server, like disabling root user login in the sshd_config file, enabling public key authentication, installing an application like fail2ban to automatically block IP addresses that are repeatedly failing to connect. I’ll save those topics for another day.