My Slackware Linux development box is on a VPS. Although Linode is generous to give 8 cores and 2TB outbound monthly limit to traffic, I would rather choose to block the rest of the world to secure my box. One of my friend suggested blocking everyone but me using a firewall but I’m too afraid of the configuration and it may lock me out or complicate things. So I choose simple configurations that still do the job.
My security checklist
Before the blocking stuff, we need to do basic security setup first, namely:
* Disable any unused services, in Slackware, they are in /etc/rc.d
* Disable remote root access (ssh), just use sudo
or su
* Limit the privilege of the main account (ordinary user), no fancy groups, etc
* Use a good damn secure password
* Whitelist ssh users
* Disable password authentication and stick to authentication key style of ssh login
* Keep the distro up-to-date with disto’s patches but remember to restore your settings, otherwise config may be reverted to default during update window
* Disable unused Apache modules
* Secure your php configuration (you can do it without suhosin, but get at least PHP 5.4)
Blocking the world
I access my box mostly at home and sometimes in the office. Since my IP address doesn’t change that much, I decided to whitelist my home IP and office IP. This means that others within my network may have access to my box but at least I can kick their @zz when they try to break-in. My home IP would be a different story since it is a broadband connection, maybe shared by several subscribers. However, that is just another layer of security and for sure the other layers will still protect my box.
Here we go, white-listing my 2 IPs and block the rest of the world. I only need two services, SSHD and HTTPD. This same tutorial is found all over the internet. First, I setup /etc/hosts.deny
to block everyone.
# /etc/hosts.deny ALL : ALL
Then, configure /etc/hosts.allow
for the white-list.
# /etc/hosts.allow ALL : localhost sshd: [vps external ip] sshd: 127.0.0.1 sshd: [home ip] sshd: [office ip] httpd: [vps external ip] httpd: 127.0.0.1 httpd: [home ip] httpd: [office ip]
I need to include the VPS ip since there are times when an application or script needs to call the VPS itself, example, automated tests or cron jobs.
After setting it up, restart inet1
.
/etc/rc.d/rc.inet1 restart
Changed IP?
In case your home or office changed IP (for whatever reason), for sure your VPS have a mechanism to login other than SSH. Linode has an AJAX based remove access so there’s no need to worry when I suddenly changed IP address.
That’s it. Enjoy and share.