4

I've been wondering about renting a new VPS to get all my websites sorted out again. I am tired of shared hosting and I am able to manage it as I've been in the past.

With so many great people here, I was trying to put together some of the best practices and resources on how to handle the setup and configuration of a new machine, and I hope this post may help someone while trying to gather the best know-how in the comments. Don't be scared by the lengthy post, please.

The following tips are mainly from @Condor, @Noob, @Linuxxx and some other were gathered in the webz. Thanks for @Linux for recommending me Vultr VPS. I would appreciate further feedback from the community on how to improve this and/or change anything that may seem incorrect or should be done in better way.

1. Clean install CentOS 7 or Ubuntu (I am used to both, do you recommend more? Why?)
2. Install existing updates
3. Disable root login
4. Disable password for ssh
5. RSA key login with strong passwords/passphrases
6. Set correct locale and correct timezone (if different from default)
7. Close all ports
8. Disable and delete unneeded services
9. Install CSF
10. Install knockd (is it worth it at all? Isn't it security through obscurity?)
11. Install Fail2Ban (worth to install side by side with CSF? If not, why?)
12. Install ufw firewall (or keep with CSF/Fail2Ban? Why?)
13. Install rkhunter
14. Install anti-rootkit software (side by side with rkhunter?) (SELinux or AppArmor? Why?)
15. Enable Nginx/CSF rate limiting against SYN attacks
16. For a server to be public, is an IDS / IPS recommended? If so, which and why?
17. Log Injection Attacks in Application Layer - I should keep an eye on them. Is there any tool to help scanning?

If I want to have a server that serves multiple websites, would you add/change anything to the following?
18. Install Docker and manage separate instances with a Dockerfile powered base image with the following? Or should I keep all the servers in one main installation?
19. Install Nginx
20. Install PHP-FPM
21. Install PHP7
22. Install Memcached
23. Install MariaDB
24. Install phpMyAdmin (On specific port? Any recommendations here?)

I am sorry if this is somewhat lengthy, but I hope it may get better and be a good starting guide for a new server setup (eventually become a repo). Feel free to contribute in the comments.

Comments
  • 2
    1. Use the one that you like the most!
    2. Always good!
    3. good!
    4. backup your key!
    5. If you dont trust the place where you are going to store the private key, go for it. Otherwhise not
    6. Why not
    7. It is a good practice, close everything and open up when needed.
    8. Go for it
    9. It is basically a wrapper to iptables.
    10. Thinfoiling is good too :)
    11. CSF or fail2ban, not both.
    12. Choose between fail2ban, CSF and UFW. It is not good to have many programs fucking with iptables at once.
  • 2
    13. good
    14. It is enough with rkhunter.
    15. Always good!
    16. It is, check out mod_security2
    17. I should keep an eye on them. Is there any tool to help scanning? - mod_security2

    18. Run the sites as different users. You will loose some resources by using docker.
    24. Does not matter here, you should instead make it accessible via some obscure subdomain with /something/thing/something
  • 0
    Thanks for your valuable feedback @Linux!

    5. You mean, the server?
    10. What do you mean with thinfoiling?
    11. I will probably stick with CSF if I don't find any better reason to use another.
    14. Any reason why I should use SELinux/AppArmor too? Afaik, rkhunter only notifies you of a possibly compromised server.
    16, 18, 24. Got it!

    Meanwhile, I have remembered some missing points in my list that I would like to improve:
    - System snapshots - is there any recommended tool/approach to do it?
    - Website home directory backups - if I would use separate users, I should be able to backup each file system in its own. Any recommendation?
    - Database backups - automatically create periodic backups. What is the best practice on how to do it and where to save it?
    - Repo management (Stash or Gitlab) and CI/CD solution - worth it? A deployment system would be useful to deploy code stored in a repo.

    Pinging @Condor, @Noob and @linuxxx to get more interesting feedback and tips going on. Thanks man!
  • 1
    5. No, you talked about having the private key with a strong password. So that means the PC you are using to connect to the server with.
    10. Joke m8 :)

    Meanwhile, I have remembered some missing points in my list that I would like to improve:
    - System snapshots - The whole machine of just files? automysqlbackup and rsnapshot is great tools
    - Website home directory backups - automysqlbackup and rsnapshot
    - Database backups - automysqlbackup and rsnapshot
  • 1
    @ivoecpereira Just got out of my sysadmin work, will comment once home! ;)
  • 1
    You don't use devRant for two days and miss so much interesting discussions.

    Regardig Centos or Ubuntu - definitely use the one that you like more.
    I use both for web servers and Centos seems to be about 5-10% faster. I experimented with Nginx and Apache, both worked quicker on Centos (7).

    You don't have to install CSF, just manage iptables in a wise manner.

    Backup all keys! I can't stress it enough.

    Also SELinux or AppHunter are not necessary with rkhunter as far as I know.
  • 0
    @Linux ahh, I see. Thanks man! Useful stuff!

    Will check out those tools! Thanks a lot for your help!
  • 0
    @Condor thanks for the compliment! :)

    1. I've used both in production, so I have no big trouble using any. Wasn't aware of CentOS rollback feature, seems good!
    2. I see. What would you do if your system suddenly does break? Restore a system snapshot? (check my comment asking for opinions on this)
    3/4. Got it!
    5. Got it! Just seen the video. Will read some more on it and try to implement it.
    6. Thanks!
    7. What I used to do at every server I owned :) do you recommend setting up a VPN on such a small VPS like this? Wouldn't it be too much resources on a small-budget machine?
    8. Got it. Rembered me of Arch, as it is a totally clean distribution ahah. Good times setting it up.
    9. Thanks man! I will wait for @linuxxx feedback on that! Yeah, I remember someone saying fail2ban was not good at all.
    10. In my AWS instance we do work with OpenVPN and it is great. I would prefer it instead of obscuring my services :)
    11. Will wait on more feedback too!
  • 0
    12. I've messed with iptables natively some years ago, but tbh I don't recall the syntax and always need to check it. I guess I gave a try to ufw once in times too. Wouldn't CSF be better for this role?
    13. I will try it.
    14. Will investigate on these! As I've seen AppArmor is not compatible with CentOS 7 and SELinux is already installed. I hope I won't mess with a bad setup on SELinux.
    15. Seems awesome.
    16. Will wait for further feedback on what the best solution would be for this. I wasn't aware of such a system that is able to notify me of an intrusion.
    17. I will see if mod_security2 suggested helps on this!

    Will check on logwatch! Thanks for your contribution! Regarding the following subjects, do you have anything to add? :)

    - GrSecurity? Supposedly it hardens Linux kernel. Haven't been able to find an unbiased opinion on it.
    - Virtualmin - Worth? Any alternatives? Or stick to manual editing?
  • 1
    @Noob thanks a lot for your valuable input!

    However, aren't rkhunter and SELinux used for "different" purposes?

    Good catch on backing up keys :) Any ideas on where to backup them?
  • 1
    @ivoecpereira as far as I know rkhunter detects suspicious activity and alerts you. AppArmor and SELinux on the other hand, restrict a process' access to specific paths.
    Also both come pre-installed in Centos7 (SELinux) and Ubuntu 17.04 server (AppArmor).

    Honestly though, I didn't need to use neither, because of similar security precautions we take in the company.
  • 0
    @Noob thanks! I will explore SELinux as I will probably go with CentOS.

    Out of curiosity, do you suggest any alternative approaches to these?
  • 0
    @Condor thanks!

    I will give a try to grsecurity. I miss Arch Linux a lot, but would not get adventurous on a production server for now.

    Thanks for your opinion on Webmin and Virtualmin. Tbh I've already had a lot of servers without them and had my company' server using it.

    But I do prefer to have full control of the server, so I would not use them.

    Thanks. I have some great bases here to get started!
  • 1
    @ivoecpereira Honestly, the best advice I can give anyone that is going to use Linux (server or pc) is to be careful and not trust every source on the net.
    People blindly download stuff from 3rd party repositories, or directly from websites.

    Also, do not forget to issue frequent backups to your users home folders, crontable and etc.
  • 0
    @Noob sure thing! What would be to you the most reliable sources or how can I identify them? Let me give you an example. Yesterday I've started installing rkhunter, however the unique working package I was able to find - as the epel repo was not working - was in their sourceforge. I suppose that source is trustable?

    However, I've identified some allowed files that were not in that package default configuration (and according to some already described issues, they should be). I am not really certain if I have downloaded the right package, but I was not able to find a better one.

    Regarding backups, I will take a look at rsnapshot. Do you have any other suggestion? Where do you save your backups? Just transfer them to your computer?

    Thanks!
  • 1
    Regarding the sources - unfortunately some trust must always be given in those. So my general rule of thumb is to check whether the source is popular and has good reputation, then to check whether the most recent file has any bad reactions. Only then I proceed to download.

    Regarding files and packages - checksum them and google the hash. Most malware will be identified immediately.

    Regarding backups - it depends what information is being backed. If it is a simple MOTD, I will save it on my PC.
    If it's the users info, I save a snapshot to our backup server.

    For snapshots I use a specified tool we developed or the Vsphere's solution occasionally. Depending on the importance level of the server.
  • 0
    @Noob thanks! Currently, I am backing up my snapshots locally, waiting for Vultr to have some Block Storage servers again. Have you tried them @Linux? Are them any good?

    By the way, I would like to ask you all, including @Condor, if do you mind me using some of the information you provided here in a series of articles, detailing some of the steps for the tools and practices above mentioned?
  • 0
    @ivoecpereira
    You mean storage servers? They have block storage in NYC I think, I use it there
  • 0
    @Linux all temporarily sold out. They said they should have some new ones in 1-2 weeks. :(
  • 0
    @ivoecpereira
    When did they say that? :I
  • 0
    @Linux it appears when I try to choose any location in Storage Instance (when deploying a new server).
  • 1
    @linuxxx you forgot to comment after work, was searching for what firewall you always use and came here haha
  • 2
    vps its great
  • 0
    @Hison I use Zomro hosting, also not bad. Stable works, up time 99.8%. Support in case of problems is always helpful.
Add Comment