Secure Linux web host: locking down and checking the SSH access logs

If you run you hosting on a Linux server, it normally comes out of the box pretty secure with few of the older less secure services enabled. On top of this, if you use a provider like AWS they further secure the server by their own custom firewall. I truly like Amazon Web Service and have used it for some time. They can scale from mom-and-pop shop right up to enterprise.

This guide doesn’t even break the surface on website security, but instead gives you a few quick wins that you can apply quickly. My take has always been only install what you need; checking carefully through what you have running and its configuration. Belt and braces as the old saying goes.

When on shared hosting, many hosting providers leave the MySQL port open remotely, if you have control of your host, lock this down by only allowing the daemon to listen on localhost. This page on MySQL connection security may be useful In addition do not allow any less secure protocols such as FTP or telnet, instead if you need FTP services use sFTP.

Needless to say, keeping your system up to date is absolutely essential.

Apache settings

Check through all your apache configurations, make sure that directory browsing is OFF, make sure that (unless you need it) user profile hosting is OFF. Ensure you check each configuration you are loading, to ensure it is properly configured. If you must have PhpMyAdmin running, run it on either a different domain / IP address and change the alias to something else.

Checking the security access log.

Now and again check the access logs on the linux server, this is useful as it shows you who has connected to your host, although there are a few false positives in there. To check this:

less /var/log/secure

Connections that are established log something like the below, where is the type of authentication used and is the user name of the login. If anything looks suspicious with one of these, check VERY carefully:

Accepted <auth-type> for <user-name> from xxx.xxx.xxx.xxx

After a login, you’ll see any privilege elevations (sudo / su) in there too, they will normally show as USER=root

You may well see lots of invalid connection attempts, these can generally be ignored. Most of the time they are probably people genuinely entering the wrong IP address.

input_userauth_request: invalid user service

And if you’re on the internet, the there will probably be a few of the below warnings, but generally nothing happened:

 POSSIBLE BREAK-IN ATTEMPT!

Hopefully, this has been useful, there are many good resources on Linux and Web server security that go far further than this simple guide.