Putting a new DreamHost Cloud Server online takes just a few clicks in the Quicklaunch control panel of your DreamHost dashboard, and can be done in 30 seconds or less! Once a new server is live, there are some basic steps to follow to make sure the server can stay online, minimizing the risks of it getting vandalized. Below are five suggestions from DreamHost Cloud power users.
1. Disallow Root Password Logins and Force Login via SSH Keys
Password logins are vulnerable to all sorts of attacks — from brute force to keyloggers — while SSH keys are both more secure and more convenient. Luckily this step is already covered by DreamHost, as all Cloud Servers come with SSH configured to allow only keys login and disallow passwords.
Keeping your website safe is vitally important. Here are 10 ways to secure your WordPress website.
2. Enable Automatic and Unattended Upgrades
The best line of defense is to make sure all packages are updated as soon as possible after vulnerabilities are published. For Debian and Ubuntu, there is a nice guide to install Automatic Security Updates. Similarly, there are guides for Fedora and CentOS.
3. Install Fail2ban
From the official project’s description: Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs: too many password failures, seeking for exploits, etc. Generally, Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box, Fail2Ban comes with filters for various services (apache, courier, ssh, etc.), but these may not be enabled by default. Check fail2ban’s documentation.
Wondering how DreamHost keeps your website safe? Check out this Q&A with our Director of Technology.
4. Install and Configure Logwatch
It’s important to be notified when things start getting weird, and looking at system logs is the best way to notice issues. Logwatch is the easiest package to install since all distributions ship a version of it. The Ubuntu community maintains a simple guide, and similar documents exist for Fedora and CentOS as well.
5. Configure DreamHost Cloud Security Groups
Security Groups can be used to filter internet traffic to the cloud server and allow only traffic that is indispensable. By default, DreamHost Cloud servers allow traffic to SSH port 22 and HTTP port 80. To open other ports, follow the guide to configure Access and Security using the DreamCompute dashboard or the OpenStack command line client.
Install and configure an intrusion detection system like Tripwire. Unixmen.com has a good guide for Ubuntu/Debian and yum/rpm based distributions.
And since all these steps need to be executed for every new server, I wrote an Ansible role I assign to all my servers.
These are only the basic steps to increase the safety of newly created servers. Most likely there will be applications and services running on such servers, like Apache web server or nginx and PHP/Python/Java applications and more. For each of these, there are extra steps to follow.
Stay tuned for more guides, and if you want to share your knowledge, please let us know in the comments!
Remember: DreamHost takes your site’s security seriously. Here’s how.