Hello !
I've chosen to use a small server as a backup server (I only have about 40 gigabytes to save). I'm not very conversant with server security, so I'm looking for some help.
Here is what I did :
- Centos minimal installation : without php, mysql,...
- Changed SSH port.
- Create a new user and disable root login.
- Allow only these two users to connect to SSH.
- added an email ssh root logging alert.
- installed logwatch.
- installed rkhunter.
- configured iptables to only allow ssh and icmp (for my host to monitor my server) :
#!/bin/sh
# chkconfig: 3 21 91
# description: Firewall
IPT=/sbin/iptables
case "$1" in
start)
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -I INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 1364 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source xx.xx.xx.250 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source xx.xx.xx.251 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -t filter -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT
$IPT -t filter -A INPUT -p udp --dport 6100:6200 -j ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -i eth0 -j DROP
exit 0
;;
stop)
$IPT -F INPUT
exit 0
;;
esacWhat I'm going to do next :
- allow ftp or sftp...
- only allow use of compilers and installers for root.
- secure tmp folder (tmp being a separate partition).
Did I do it the right way so far, regarding security ?
What else can I do ?
Thank you !
I've chosen to use a small server as a backup server (I only have about 40 gigabytes to save). I'm not very conversant with server security, so I'm looking for some help.
Here is what I did :
- Centos minimal installation : without php, mysql,...
- Changed SSH port.
- Create a new user and disable root login.
- Allow only these two users to connect to SSH.
- added an email ssh root logging alert.
- installed logwatch.
- installed rkhunter.
- configured iptables to only allow ssh and icmp (for my host to monitor my server) :
#!/bin/sh
# chkconfig: 3 21 91
# description: Firewall
IPT=/sbin/iptables
case "$1" in
start)
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -I INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 1364 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source xx.xx.xx.250 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source xx.xx.xx.251 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -t filter -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT
$IPT -t filter -A INPUT -p udp --dport 6100:6200 -j ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -i eth0 -j DROP
exit 0
;;
stop)
$IPT -F INPUT
exit 0
;;
esacWhat I'm going to do next :
- allow ftp or sftp...
- only allow use of compilers and installers for root.
- secure tmp folder (tmp being a separate partition).
Did I do it the right way so far, regarding security ?
What else can I do ?
Thank you !