By dave | April 4, 2017

Secure Linux web host: locking down and checking the SSH access logs

If you run you hosting on a Linux server, it normally comes out of the box pretty secure with few of the older less secure services enabled. On top of this, if you use a provider like AWS they further secure the server by their own custom firewall. I truly like Amazon Web Service and have used it for some time. They can scale from mom-and-pop shop right up to enterprise.

This guide doesn’t even break the surface on website security, but instead gives you a few quick wins that you can apply quickly. My take has always been only install what you need; checking carefully through what you have running and its configuration. Belt and braces as the old saying goes.

When on shared hosting, many hosting providers leave the MySQL port open remotely, if you have control of your host, lock this down by only allowing the daemon to listen on localhost. This page on MySQL connection security may be useful In addition do not allow any less secure protocols such as FTP or telnet, instead if you need FTP services use sFTP.

Needless to say, keeping your system up to date is absolutely essential.

Apache settings

Check through all your apache configurations, make sure that directory browsing is OFF, make sure that (unless you need it) user profile hosting is OFF. Ensure you check each configuration you are loading, to ensure it is properly configured. If you must have PhpMyAdmin running, run it on either a different domain / IP address and change the alias to something else.

Checking the security access log.

Now and again check the access logs on the linux server, this is useful as it shows you who has connected to your host, although there are a few false positives in there. To check this:

less /var/log/secure

Connections that are established log something like the below, where is the type of authentication used and is the user name of the login. If anything looks suspicious with one of these, check VERY carefully:

Accepted <auth-type> for <user-name> from

After a login, you’ll see any privilege elevations (sudo / su) in there too, they will normally show as USER=root

You may well see lots of invalid connection attempts, these can generally be ignored. Most of the time they are probably people genuinely entering the wrong IP address.

input_userauth_request: invalid user service

And if you’re on the internet, the there will probably be a few of the below warnings, but generally nothing happened:


Hopefully, this has been useful, there are many good resources on Linux and Web server security that go far further than this simple guide.

Other pages within this category

comments powered by Disqus

This site uses cookies to analyse traffic, and to record consent. We also embed Twitter, Youtube and Disqus content on some pages, these companies have their own privacy policies.

Our privacy policy applies to all pages on our site

Should you need further guidance on how to proceed: External link for information about cookie management.

Send a message

Please use the forum for help with UI & libraries.

This message will be securely transmitted to our servers.