In this post, we know how important the security is. If you manage your server (VPS, cloud hosting or dedicated server), then you must have root access. The root is like the administrator account on windows, but only more powerful (you can basically do anything).
It is probably not a good idea to rename the root account (or hide it) on Linux system, this is due to the fact that many applications/programs such as sendmail assume there is a root account or things will start to break if the root is not found (On Windows, you can rename administrator account). However, your must have and be suggested to have a normal user account (less powerful) which handles daily jobs, so you will not make damages to the system if you occasionally make mistakes.
SSH
To create a normal user, run command sudo adduser nuser where the nuser is the user account we want to add. Follow the instructions to set the password or you can issue passwd nuser later.
Double check that you can actually login using SSH and switch to root using su. Once these are confirmed, and you need to edit the file at /etc/ssh/sshd_config with your favourite text editor (e.g. vim). Then look for the line PermitRootLogin yes and change it to PermitRootLogin no. Restart the ssh server like this:
1 | sudo service ssh restart |
sudo service ssh restart
Then if you re-login using root, it will be denied always, which makes the system a bit secure (as you know, there are lots of IPs brute forcing and trying to hack your root account).
FTP (vsFTP)
FTP is not so secure, but if you insist using it, make sure you use SFTP or SSL/TLS if applicable. The popular FTP server on Linux is vsFTP and after you install it, make sure you also disable root login as well.
The configuration for vsFTP is located in file /etc/vsftp.conf and you need to make sure the following values are set (can be appended):
1 2 3 4 5 6 | anonymous_enable=NO # no anonymous login plz local_enable=YES write_enable=YES userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd.users |
anonymous_enable=NO # no anonymous login plz local_enable=YES write_enable=YES userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd.users
And create a file at /etc/vsftpd.users if it is not there yet, and add the permitted users line by line in the file. Restart the vsFTP by:
1 | sudo service vsftpd restart |
sudo service vsftpd restart
And if you login using root, it will deny with this message:
Connecting to: XXXXXXXXX 220 (vsFTPd 3.0.2) USER root 530 Permission denied. 220 (vsFTPd 3.0.2) USER root 530 Permission denied. Certificate: Can't connect LastError: 0
MySQL database
Disable Root Login Remotely
Remove remote root login to your MySQL database because it remains high risks to have your root account accessible from another machine rather locally. However, if you have a dedicated server serving as database, then it is a different story, in which case, you need to strengthen root password and possibly use normal accounts in your wordpress or other websites. Make sure you don’t expose those configuration files (e.g. wp-config.php) easily. Simply make these files not writeable.
Login to MySQL from command line and run the following two commands to remove remote root login.
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); flush privileges;
Disable All Logins Remotely
If you want to disallow all logins remotely, and only allows local connections, you could simply add skip-networking (or uncomment the line) in the /etc/mysql/my.cnf in the section of [mysqld].
1 2 3 | [mysqld] port=3306 skip-networking |
[mysqld] port=3306 skip-networking
You then need to restart the MySQLd daemon.
1 | sudo service mysqld restart |
sudo service mysqld restart
Recommended Security Configurations for Linux Servers
–EOF (The Ultimate Computing & Technology Blog) —
loading...
Last Post: How to Monitor CPU and Memory for High Usage Process on Linux System over Time?
Next Post: Site News: VPS Upgraded Again to Handle Large Traffic.