In part one we did some planning and decided what we were going to do with this server and bought some hardware
In part two we updated the system, added the packages and got the web server listening on port 80.
In part 3 of Building a perfect web server we are going to start locking down the system.
Securing your web server
Securing your web server is not just about a firewall, relying solely on firewall rules to protect your system is putting the cart before the horse.
First we are going to harden this web server with absolutely no firewall in place we will then have a good foundation to build that amazing firewall on.
Examine the web server you just built
Drop all the firewall rules on your web server. If it is sitting on an exposed network you obviously don’t do this, but I am assuming it is on your LAN in a protected environment.
The system is now totally open and exposing the TCP and UDP ports the server is listening on. This next step is not an exhaustive test but does give us a starting point for locking down services. I won’t go through every service since the process, if not the procedure, is the same for each open port.
On your local machine download and install nmap.
My web server IP is 192.168.122.14 so I will be doing a quick syn scan of the first 1024 ports using TCP from my local machine.
nmap -sS 192.168.1.14
nmap scan report for 192.168.122.14 Host is up (0.00014s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql
We will need port 80 open since this is your web server and we want people to find us.
Port 22 is “ssh” which we will leave open
We do not want or need Mysql listening on the network.
Please see Securing your Mysql on your web-server and then come back here and continue here.
Re-scan the system from your local machine.
nmap -sS 192.168.1.14
nmap scan report for 192.168.122.14 Host is up (0.00014s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Mysql is no longer detectable by nmap as a port open or closed. If you can still see it have another look at Securing your MySql webserver
Openssh is secure and is used by almost everyone to get command line access to NIX servers all over the world.
Remember that all communication that is transmitted via ssh is encrypted including the password exchange. The primary reason that SSH gets hacked is nothing to do with SSH itself but human error. While we can not eliminate human error but we can make it harder to make a mistake.
Only allow specific users to connect to the service.
If you are the only person who is going to connect to the server and make changes then there is no reason that you can not use the root account. By using the root account and never creating any other accounts you are reducing the the amount of user management on this server.
Abandoned and forgotten user accounts with user created keys and passwords are a far more likely entry point than a brute force attack on the root account.
If you are needing more than one administrator or you need to allow access to the server for other users then you will need to set up up users and sudo. I will cover that somewhere else.
Set your pass phrasepasswd
Choose a passphrase and not a password.
Only allow ssh from specific locations
While locking down ssh to an IP address may seem like good security it is not really that convenient or secure since IP addresses can easily be spoofed to appear to come from anywhere. It also makes management of your server harder if you need to access the system from Starbucks wireless. It is better to allow ssh from anywhere but limit the number of connection attempts from any one location. We will do this when we setup the firewall