Ok,

Im not a huge Linux Expert but i have enough knowledge to run and secure a server.

I have around 2 years experience managing servers, mainly VPS servers. I recently purchaeed a VPS with VPSLink (who have been very good). I did the usual security measures - APF Firewall, locked down PHP (Reg globals, disable system commands, etc) and installed Brute force detection on the SSH server. I was getting emails of over 500 attempted password logins on my SSH!

I was given some instructions on what to do to prevent this from happening so im going to share them here to help others secure their SSH and reduce the possability of one of these bots (or humans) accessing your server via root.

Install Brute Force Detection (BFD)
This nifty tool will basicly detect and help prevent people and bots trying to access your server by entering a list of random passwords - it will ban and block the IP's that attempt to brute force your server.

To install BFD you must first install the APF firewall - instructions on doing so can be found over at webhostgear dot com

Once you have installed APF you may install BFD:

Step 1:
Login to your server as "root"

Step 2:
Download the latest release of BFD

Code:

wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

Step 3:
Un-Tar the archive

Code:

tar -xvzf bfd-current.tar.gz

Step 4:
Move to the newly created BFD directory

Code:

cd bfd-0.X

Step 5:
Run the installation utility, once installed it will give you a completion message.

Code:

 ./install.sh

Step 6:
Edit the config file

Code:

nano /usr/local/bfd/conf.bfd

Change This:

Code:

ALERT_USR="0"

To This:

Code:

ALERT_USR="1"

and This:

Code:

EMAIL_USR="root"

To This:

Code:

EMAIL_USR="you@domain.com"

Step 7:
Now to prevent getting locked out, its best that you edit the ignore list, this is a list of IP's that wont be affected by the BFD system.

Code:

nano /usr/local/bfd/ignore.hosts

Add your IP to the list, e.g:

Code:

123.456.7.8

Step 8:
You can now start BFD by running the following command as root:

Code:

/usr/local/sbin/bfd -s

The install of BFD is now complete. Time for the next item on the security list...

Moving SSH To A New Port
As silly as this may sound, moving SSH is actualy one of the better methods of helping to stop unauthorized access. Moving the port will give the impression that the server is either non-functional or does not have SSH setup.

If you have APF installed, make sure to add the new port to the list of open ports before applying the below modifications - falure to do so could leave you locked out of your system.

Step 1:
Pick yourself a port number (higher 4 digit numbers are better). E.g 8470

Step 2:
Here we will open up the SSH config file, at the top of the file is the current port number (22), you can just change this to the new one:

Code:

nano /etc/ssh/sshd_config

Step 3:
Restart the SSH server

Code:

/etc/rc.d/init.d/sshd restart

Step 4:
Login with the new port number!
If using putty the port number defaults to 22 however you can change this when entering the server IP.

Step 5:
If everything is working, you can now edit your APF config and close off port 22 as its no longer needed!


I hope this mini guide will help you all...thank you to members of VPSLink's forums for the suggestions - feel free to add and comment and if you wish, sticky it

Edit: A copy of this can now also be found here: http://www.rmwebs.net/forum/viewthre...ead_id=2&pid=2

Rick

Thanks for this guide. I hope to have the need to upgrade to VPS eventually and will need this sort of thing then

Great guide, thank you!

I know this will come in use someday . .

//Andreas

no probs...once i've finshed setting up my personal site im going to put together a series of basic server security and management guides.

It helps me too...my weekness is writing so this will help me when it comes to writing articles & such

Changing the port is usually enough to keep most hackers away from SSH however installing APF is also a good idea.

We used to get tons of BF attacks and we cut them down to zero by doing the following:

• Restrict SSH access to single IP (not the main shared IP)
• Restrict SSH to non-standard port
• Do not allow root to SSH, use another account and add them to the wheel group

I also installed BFD and setup our server to email me everytime someone logs into SSH and again anytime someone logs in as root. It actually sends a message to my cell phone, so I know no matter where I am.

How do you know if you are getting BF attacks?

Moving to a non standard port made all SSH hack attempts go away. Been a couple of years now - hope it stays that way!

I also recommend restricting SSH to a single IP, and not the shared IP on the server. We have a random IP that we don't use for accounts that's tied to the SSH on our server. We only have two users (both me and my partner on the server) who are members of the wheel group - no one else has SSH access at all.

So, I'd recommend:

1 - Install BFD
2 - Move SSH to a new port
3 - Use a single, dedicated IP for SSH
4 - Restrict SSH access to only one or two administrators, and not a username like "admin"

Nice guide Rick! Thanks for sharing.

Nice, but my advice would be to disable password-based SSH logins altogether, and instead switch to key-based login.
Even with something like BFD installed, you're still vulnerable to brute force attacks from attacks with a great many IPs (think botnet).

Moving SSH to another port isn't going to help against a determined attacker either.

BFD and changing port number are just two methods to secure SSH.

http://opensource.apress.com/article...p-securing-ssh

If you use public and private key pair login is another way. Use only SSH2. Disable PasswordAuthentication.