Hello all!

I have had my eyes on Linode for a while and today I finally decided to jump in. I really like it so far but I still have a lot to learn when it comes to Linux.

I'm more of a programmer than a sysadmin, so stuff like securing my code against database injection doesn't feel like much of a problem. I mostly know what I'm doing there and I can control what happens. What I'm more worried about is parts of the server environment that I haven't had the time to learn yet.

I have two linodes, one with a LEMP stack running the php end of things and one with a LAMP setup running mysql and phpmyadmin. Both run the latest Ubuntu distro.

What I've done so far:
Ran updates.
Disabled root access.
Installed UFW and only opened holes on port 22 and 80. (on the db server I also opened a hole for the app server via the private network)
Suhosin came with the LEMP stack script but not the LAMP one.

What I know about but haven't done yet:
Changing default port number for SSH (I couldn't get this to work, my connections on the new port were refused)
Installing Suhosin on the LAMP server.

I'd appreciate all tips and any comments on the stuff I have (and haven't) done so far. I'm aware that I could be missing something blatantly obvious.

Thanks!

I don't know about UFW, but you need to open a port in your firewall for SSH:

/sbin/iptables -A INPUT -m tcp -p tcp --dport xxxxx -j ACCEPT

with the xxxxx being whatever port you decided to move SSH to ("The Dynamic and/or Private Ports are those from 49152 through 65535.")

And edit /etc/ssh/sshd_config near the top of the file to have a Port line with the new port:

Port xxxxx
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
ListenAddress 173.230.xxx.xxx
ListenAddress 192.168.xxx.xxx

Protocol 2
...

Then restart SSH.

And at some point get a pub key/private key pair and move away from password login:

PubkeyAuthentication yes
PasswordAuthentication no

I use PuTTY and FileZilla for access/file transfer to my Linodes. You can create a pub key/private key that will work with SSH using PuTTYgen.

And FileZilla can use your PuTTY private key for SFTP purposes.

How are you running phpmyadmin? It's a very popular (and successful) attack vector.

Before you change the port number, open the new port number with UFW (replacing "{NewPort}" with your new port number):

$ sudo ufw allow {NewPort}/tcp

Then change the port. Find the line "Port 22" and change it to "Port {NewPort}". Save (Ctrl + O) and Exit (Ctrl + X):

$ sudo nano /etc/ssh/sshd_config

Restart SSH:

$ sudo /etc/init.d/ssh restart

Disable old open port:

$ sudo ufw delete allow 22/tcp

Done!

You should also consider only allowing access to certain ports by certain IP addresses. For example:

$ sudo ufw allow from {IPAddressOrRange} to any port {Port}

EDIT: Just saw post above by devjonfos. Sorry to re-post info.

Stop doing cargo-cult security, and start by moving your ssh back to port 22.

It's pretty pointless to move ssh to another port. What you should be doing is to just disable PasswordAuthentication as suggested above.

Then someone will have to wait until the heat death of the universe to guess your private key. Combine that with something like fail2ban to block IP's that fail to log into ssh for 30 mins and you're pretty good to go.

Nobody who does real security bothers with security through obscurity like that.

Isolate services. If someone compromised e.g. your webserver what could they do? Are the *.php files your webserver serves up *owned* be the webserver? That's a bad idea.

You're using PHP. Are you using the new frameworks for that language that do escaping for you? Or are you using mysql_query() manually and hoping you don't accidentally introduce a SQL injection?

Subscribe to and read security advisories for your OS.

Disable services you aren't running, and review the settings of those that are running.

Set up logging on your system, read your logs.

Etc. etc.

Install Suhosin:

sudo apt-get install php5-suhosin

As Ævar Arnfjörð Bjarmason said, it's okay to keep SSH on port 22 if you use a key pair and disable PasswordAuthentication. You might see a bunch of failed login attempts, but nobody will be able to log in unless they have your private key.

for phpmyadmin

sudo vim /etc/phpmyadmin/apache.conf

and add in <Directory /usr/share/phpmyadmin>

the following:

Order Deny,Allow
Deny from All
Allow from [insert your ip address]

also

sudo vim /etc/phpmyadmin/config.inc.php

under server configuration section add

$cfg['ForceSSL'] = 'true';

so you don't pass passwords in plain text. Port 443 will need to be open and running ssl.

For log watching I recommend logwatch

sudo apt-get install logwatch

and then sudo vim /etc/cron.daily/00logwatch

and change the line

/usr/sbin/logwatch --output mail

to

/usr/sbin/logwatch --output mail --format html --mailto user@example.com

In that spirit, moving SSH from port 22 keeps the scripted attacks from polluting your log files. So, yes, it's not a security move, but an administrative move for better housekeeping of your log files.

The pollution is fine if you have something to sift through it:

$ ack -c 'Failed password' /var/log/auth.log
/var/log/auth.log:1622

The benefits of running ssh on port 22 far outweigh that minor annoyance. You'll be able to ssh to your box from some random network that only allows port 22, 80, 443 and a few others.

That's YOUR opinion.

I never run SSH on TCP22, way to many botscripts picking away there (and yes, I only use certs for SSH so it isn't really a security risk).

Nor do I need to waste MY bandwidth on those scriptkiddies.

I see NO benefit from running on TCP22, unless of course you like sifting thru logs and wasting clock cycles and bits (or of course if you're running a Honeypot).

The benefit is not having to type

ssh -p ...

for the rest of your life, and being the only guy at that conference that can't log into his box through the provided wifi because you're running ssh on some obscure port to solve a non-issue.

According to my quick measurements 3 failed ssh login attempts cost me around 5000 bytes. For the 1600 failed login attempts that I've had this week that works out to 8.2 MB. Which is nothing.

I *don't* have to sift through my ssh logs because *I know* that those silly script kiddies don't pose a threat to me.

I only allow logins with public keys, and even if I didn't I ban them with fail2ban after 6 failed attempts. Unless my passwords something silly like "foobar" they'd need to be pretty damn lucky to brute force the username/password pairs if I'm dropping their connections for 30 mins after 6 failed attempts.

I'll have to agree with vonskippy on this one. I'll take my chances and possibly get carpal tunnel 3 days earlier than if I had not typed "-p..." for my entire life.

Well, I'm not going to argue with you over what security policies you choose to implement, but for what it's worth this is exactly what I meant by cargo-cult security.

When you notice a bunch of failed login attempts on ssh you might be inclined to think that that constitutes a significant security risk, but in reality it's miniscule to the point of being nonexistent.

Moving around the ssh port and not reviewing actual security issues is the digital equivalent of parents who worry about terrorists harming their children, and then proceed to install a backyard swimming pool.

OMG - I move my SSH port, have kids AND a backyard swimming pool (and lets not even bring up the pond and the dark forest).

I'm doomed.