LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Securing a Linux Centos VPS (http://www.linuxquestions.org/questions/linux-security-4/securing-a-linux-centos-vps-861191/)

MisterTickle 02-07-2011 11:02 AM

Securing a Linux Centos VPS
 
I was looking for some help getting a good list of IP tables and other security measures on my new Linux Centos VPS.. I have some files I wan't no one other than myself to have access to.. I will be running some gameservers on it on ports 7777 and 7778 though and I want to have VSFTPD running for fast file transfers. What would be your reccomendations? Thanks.

r_hartman 02-07-2011 11:42 AM

iptables:
I recommend using Firewall Builder, http://www.fwbuilder.org/. Very nice and flexible graphical tool to build various types of firewalls, including iptables. Make sure you only open the ports you actually use to the outside world.

vsftpd:
Use SSL, so credentials will never be available in cleartext for sniffers. Restrict access to only those user that need it. There's a fairly detailed PDF on setting up vsftpd with SSL here: vsftpd_FTPS_Setup_RHEL5
If you want to allow anonymous access, I suggest you chroot the server.

permissions:
Files you only want accessed by yourself should either be in your homedirectory(tree) or elsewhere with the proper owner (i.e. you) and mode (i.e. 600). You could assign a separate subdirectory with mode 700. That way, only you will have access, and root.

general:
Do not use telnet; use ssh.
Do not use password access for ssh; use private/public keypairs.
You may want ssh to not use port 22, but some available unprivileged port higher up. Reduces the number of brute force attacks quite a bit.
If you need to use passwords: generate long random passwords and store these in a password database, like KeePassX.
Use pam-tally to limit the number of login-attempts.
Mount /tmp noexec.
You may want to setup Fail2Ban to choke invalid brute force access attempts.
Beware pam-tally locks users out until reset by root while Fail2Ban blocks IP addresses for a specified period (you can whitelist your own IP).

There's probably more, but this pops up off the top of my head, implementable with standard CenOS and off-the-shelf RPMs.


All times are GMT -5. The time now is 03:38 PM.