Here are some pointers to make sure that your new VPS will be secure enough to not have heart failure every other day.

1. Disable root Logins

2. SSH Secure - Encrypt Data and use Private Key to Login

3. Install OSSEC

4. Install APF (Advance Policy Firewall)

 

1. Disable root Logins

useradd <username>

passwd <username>

give user super user access

nano /etc/sudoers

<username> ALL=(ALL) ALL

nano /etc/ssh/sshd_config

PermitRootLogin no

PermitRootLogin no

if you want to use a none standard port

Port 23151

Restart sshd

service sshd restart

Now in order to give your new <username> access via ftp as root to the entire system:

nano /etc/group

add <username> to whichever group you need

2. SSH Secure - Encrypt Data and use Private Key to Login

nano /etc/sshd/sshd_config

Ensure to use only Protocol 2

Protocol 2
MaxAuthTries 3
PubKeyAuthentication yes
PasswordAuthentication no
AllowedUsers <>username>

Open PuttyGen.exe

set the Key bits

then Select Generate

Copy the key to notepad

Delete the part at the end that starts with "rsa-key-"

Add a passphrase to PuttyGen

Save private Key

mkdir /home//.ssh

nano /home//.ssh/authorized_keys

copy the key from notepad to nano

Exit and Save the authorized_keys file

chown -R : /home//.ssh

chmod 700 /home//.ssh

chmod 600 /home//.ssh/authorized_keys

3. Install OSSEC

cd /tmp/

wget http://www.ossec.net/files/ossec-hids-2.2.tar.gz

wget http://www.ossec.net/files/ossec-hids-2.2_checksum.txt

md5sum -c ossec-hids-2.2_checksum.txt

tar -zxvf ossec-hids-2.2.tar.gz

cd ossec-hids-2.2

./install.sh

Being a VPS I selected the Local Installation

Installation path /var/ossec

4. Install APF (Advance Policy Firewall)

cd /tmp;
mkdir apf;
cd apf;
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz;
tar -xvzf apf-current.tar.gz;
cd apf*;
./install.sh;
nano -w /etc/apf/conf.apf;

now you will need to configure the app:

!!!NOTE DEVEL_MODE="1" means that your firewall will be deactivated after 5 minutes... use this carefully and be sure to set it to 0 and restart apf afterwards!!!

SET_MONOKERN="1"

IFACE_IN="venet0"

IFACE_OUT="venet0"

PORTS:

FTP 21

SMTP 25

POP3 110

HTTP 80

HTTPS 443

DNS 53

PLESK 8443

MYSQL 3306

SSH 22 (or whatever you have set it to)

 

INBOUND PORTS(ports that you use to initiate connections to the server):

IG_TCP_CPORTS="20,21,22,53,80,443,8443,3306"

IG_UDP_CPORTS="53"

If you do not use ping packets remove ports 0 and 8 so the server won't answer any pings (network monitoring).

IG_ICMP_TYPES="3,5,11,30"

OUTBOUND PORTS(ports the server uses):

EG_TCP_CPORTS="21,25,80,443,53"

EG_UDP_CPORTS="20,21,53"

-s start

-f stop

-r restart

-st status

-l statistics

now start the app

/usr/local/sbin/apf -s

and configure to run at startup.

chkconfig --level 2345 apf on

5. Secure MONO Site Access

on a MONO site make the owner root and the group apache(whatever you have given your apache as a name and group in the httpd.conf) for the site folders

set permissions:

cd /var/www/vhosts/<domain>;
chown -R root:apache httpdocs;
chmod -R 750 httpdocs;
chown -R root:apache httpsdocs;
chmod -R 750 httpsdocs;