Prevention is Better than Cure
UK2 Group techie Keith Anderson outlines some simple beginners’ tips for protecting your dedicated server…
You wouldn’t go on holiday and leave your front door unlocked. You wouldn’t leave your mobile phone unattended in a bar. Yet people still don’t take their server security seriously. Dedicated servers are among the safest in the world, but that doesn’t mean you should get lazy with your safeguarding. Incidentally, Audi R8s are ranked among the hardest cars in the world to steal, but they still get pinched every once in a while when a driver leaves the keys in the ignition or the window open.
Here in server-land we can’t all hire our own Security Administrator just to protect our servers. So we have to be smart and crafty, as well as follow advice from those who have come before us. That’s why I’ve compiled a list of common sense, easy to follow, starter kit-style tips that could be the difference between you having a successful business and having to fork out a week’s profits just to get your server back up and running…
Basically, you need to use big strong passwords. What does that mean? It means combining uppercase, lowercase, numbers and symbols. These are all factors of a strong password and, if you use more factors, your password will be exponentially stronger per factor. Secondly, you need to use at least 8-10 characters. More is better, getting above ten characters can increase the time it takes to break a password from days to months or even years. Lastly avoid words or variations on words. For example !1cracked is muchweaker than 0Rh#6mkk.
There are a few things you can do to lock down SSH. For starters, you can change the default port. This does not necessarily protect you if you are being targeted directly, but it will protect you from your typical port scans and brute force type of attacks, which are automated and represent the fair portion of attacks against servers. This is not true protection, it just hides you from some of the common threats. You should always consider additional measures if you want to stay safe. You can can also set ssh to only allow non-root users to access ssh, then use the sudo command to become root. This prevents attackers from being able to guess at a username. Again this is obfuscation not protection.
You should always use a firewall to help protect your server. In fact, you can use it to only allow connections on ports that are being used, for example: 22, 80 and 443. This protects you from vulnerabilities in services that you might not even be aware of. Additionally, you can lock down remote access to your server with a firewall by only allowing ssh connections from IP addresses that you specify.
If you require much higher levels of security, you should look into additional layers of protection. Use SSH keys for authentication and TCP wrappers for redundant protection, for example. Remember, doing some or all of these things as the first things you do on a server could save you hours of headaches and potentially hundreds or thousands of dollars. If a server ever becomes compromised, even if cleaned up, you can never truly trust it again and you will be cursing the powers that be. So, use an ounce of prevention. You will never regret it.