Journal
Improving Security on Your Media Temple (dv) 4.0 Server
Not to say that the Media Temple (dv) servers are setup particularly badly by default but by changing to a non standard configuration and disabling some services you’re not using helps to tighten up security a little more. Here’s a quick guide of some of the things I recommend. Let’s get started.
Disable ssh for root
One of the best things you can do is disable direct assess to root via SSH, instead setup another user for SSH with a custom username and switch to root via that account. SSH as root to your server and let’s create a new user:
adduser dave
ls -lad /home/dave
Set the password for this user, it’s recommended you use something strong as this user account has SSH access to the server.
passwd dave
It’s a good idea now to open another SSH session and log into the server using the username and password you’ve just setup. Because your about to disable SSH for root you need to ensure you can still access SSH to avoid locking yourself out.
Once your absolutely sure that this user is working you can edit the sshd config like this:
vi /etc/ssh/sshd_config
Then find the following line
#PermitRootLogin yes
and change it to (note the line gets uncommented)
PermitRootLogin no
Finally restart sshd for your changes to take effect.
/etc/init.d/sshd restart
Now you will no longer be able to SSH directly as root. To assume root privileges instead SSH as the user you’ve just setup and simply type:
su
Where you will be prompted for your root password to gain super user privileges.
Disable ping response
By default anyone (or anything) that pings your server IP address will receive a response making it a sure thing that a server exists on that address. You can stop your server responding and having to deal with any unnecessary ping requests.
Log into Plesk and select Settings > Firewall > Edit Firewall Configuration > Ping Service
Select deny if you want to disallow all ping requests or if you have a static IP address then you can tell the firewall to just respond to your ping requests and ignore all others by selecting allow from selected sources and entering your IP address – useful for troubleshooting.
You’ll need to hit Activate to apply the changes you’ve made, now when anyone tries to ping your server they’ll receive a request time out as if I didn’t exist at all.
Do be aware that the server will now not respond to any ping requests from uptime monitoring software, if you are monitoring a website then you should be using a http check anyway and most tools will support this.
Change the default SSH port
Changing the default SSH port improves security because it stops automated tools and port scanners from tying to log into your server with common lists of passwords. You should set this to a number above 1024 which will help to prevent port scanners from picking it up.
vi /etc/ssh/sshd_config
Find the line that says
#Port 22
Change to any number above 1024 (note the line gets uncommented)
Port 1099
Restart sshd with the following command:
/etc/init.d/sshd restart
Now when you connect via SSH you’ll need to specify a port to connect to using the -p flag.
ssh you@domain.com -p 1099
This will also affect STFP connections too so ensure that the port is set correctly when you connect
Use SFTP
You can use SFTP instead of regular FTP, using SFTP is more secure as the connection is going over SSH which is encrypted.
Login to the account control panel for the account you want to five SFTP to via Plesk and select Websites & Domains > FTP Access
Select the existing FTP user account and then change access to the server over SSH setting to /bin/bash (chrooted) to allow this user SFTP access to their own files.
If you’re sure you don’t need it you can disable regular FTP by setting a deny all on the Firewall.
Log into Plesk and select Settings > Firewall > Edit Firewall Configuration > FTP Service
Select deny if you want to disallow all standard FTP connections or if you have a static IP address then you can tell the firewall to just allow your standard FTP connections and ignore all others by selecting allow from selected sources and entering your IP address.
If you have set a custom port for SSH as above then after disabling connections to FTP I had to set up an additional firewall rule to get SSH and SFTP to work on a custom port.
Allow incoming from all on port 1099/tcp
Use a super secure Root password
You can set the root password for your server by logging into the account center and selecting Admin > Root Access & Developer Tools > Change Root Password
Use a password generator to get a super secure 50 character password with a mix of uppercase/lowercase numbers and special characters.
Store it in a password management system like 1Password for Mac or 1Password for Windows.
You should barely be using the root account, instead look into giving your newly created user sudo (super user do) privileges so you can still perform commands that require root privileges without actually being signed into the root account. You’ll have to set another sudo password for your day-to-day account so again make sure this is nice and secure.