Securing your Linux VPS For dummies

Almost everyone have their own VPS now a days which is running some kind of Linux flavor. Usually people just get the VPS and start using it straight away, without even doing the basic security and setup.

I thought I should write the basic security measures that should be done on a brand new VPS. These steps are no way meant to completely secure your server, but at the very least these steps will make it harder for newbies or wannabes to get break into your server.

Got root?

First thing first, change the root password. Root is the most powerful user on any linux server, make sure you change the password immediately as soon as you get the VPS from your VPS provider.

Login as root and the following command to change your root password.

passwd

SSH: the door to your server.

Change SSH port to some non-default port. The path of sshd configuration file is:

It is never a good idea to keep running the SSH service on the default port which is port 22. Find the line starting with Port and change your port. See the example below.

Port 2014

Disable root login, Find the line starting with “PermitRootLogin” and set it to no, see the example below.

PermitRootLogin no

Restart the sshd service.

service sshd restart

Wanna be a Cop?

In third world countries when cops are looking for bad guys, they close down all the roads and only allow the traffic on the road they are monitoring so they can check all the cars passing through.

Similarly you should close all the ports to your server and only allow ports that you use. Just make sure you allow the new non-default SSH port that you have set above or otherwise you will lock out yourself from your own server.

Paranoid?

You can do more to make your server more secure, for example Google 2-Factor authentication for SSH, install fail2ban, etc etc. Want to know more? Want to secure more? Let me know in comments and I will try to help as much as I can.

WordPress 3.0.2 is available for download.

WordPress 3.0.2 has been released couple of days ago. The release fixes a security issue and some other bugs.

The security issue in the older versions of wordpress could allow author level users to gain further access on the blog. But even if you don’t have other users on your blog you should upgrade your blog to the latest version.

If your theme does not support the newer versions of wordpress you can hire me or any other wordpress developer to make your theme and plugins compatible with newer version of wordpress. But do not delay the update as you might later regret it and will have to hire someone to not only update your theme but also fixed your hacked blog or in worse case you might even lose all your precious data on your blog.

You can update automatically using the WordPress Dashboard of your blog or you can download the update and then do the manual upload. Once again if you are worried about breaking your blog you can hire me.

P.S I will soon write the step by step howto to update your wordpress installation to the latest version without breaking the blog.

Whitelisting WordPress admin (wp-admin) in mod_security to avoid 404 on post save or post preview

Yesterday while I was writing a post about excluding a category from WordPress home page and RSS feed, I found that all of a sudden the Save and Preview buttons in the WordPress Admin are not working. I was shown a “404 Not Found” screen whenever I try to Save or Preview the post. So I was bit surprised and thought its either wordpress 2.8.4 is broken or I messed something up while hacking the category exclusion in my blog. I really had to dig in and do some googling to find out that I am seeing the 404 because of mod_security. I had mod_security installed on the server and I never got to know about this issue before because I was using ScribeFire to write posts on my blogs

Now that I have found the cause of the problem I quickly rushed over to WordPress forum to find out how other people are dealing with the issue, because I was sure that I am not the only one using mod_security. After searching on WordPress forum I found a thread “Disabling mod_security“. The thread started with the person trying to disable mod_security altogether for their blog which is off-course not a good practice. But on the same thread I saw advice from djdavedawson about how to whitelist few features of your WordPress admin in mod_security. The advantage of this approach is clear that mod_security is not disabled completely and you have some layer of security. You have only allowed or whitelisted few features that were required to post new blog entries using the WordPress admin panel.

Now a days many hosting accounts come with cPanel pre-installed as was the case with my server. Assuming that is the same case with you, just in case you have another control panel you have to find your mod_security’s whitelist.conf file your self, or either hire an expert sysadmin to do it for you. 🙂 For the cPanel server the mod_security’s whitelist.conf is located at /usr/local/apache/conf/modsec2/whitelist.conf.

  1. Open whitelist.conf with a text editor
  2. Add following rules to the file.

    <LocationMatch “/wp-admin/post.php”>
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>

    <LocationMatch “/wp-admin/admin-ajax.php”>
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>

    <LocationMatch “/wp-admin/page.php”>
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>

  3. Save the file
  4. Restart Apache

NOTE: Don’t use the methods that disable mod_security completely.

This is what solved my issue of 404 on post save or post preview, in case if your problem is not solved you either have to find out the cause your self or let me know in comments what exactly is the problem and what steps have you taken. If you solved the above issue by using some other method kindly share in the comments.

PS: This post has been written using WordPress admin panel to confirm everything is working fine.