Hardening Vesta & Server
Hardening Vesta & Server
Hello,
First at all, I am new working with servers and with Vesta.
I have a VPS with CentOS 6.8 & Vesta 0.9.8.
My big concern is about the security. (Mode paranoid)
Greetings.
First at all, I am new working with servers and with Vesta.
I have a VPS with CentOS 6.8 & Vesta 0.9.8.
My big concern is about the security. (Mode paranoid)
- -Default ports
-Default URLs
-SSL
-2FA
-Change weak config
...
Greetings.
-
peterbrinck
- Posts: 16
- Joined: Wed Jun 24, 2015 8:13 am
Re: Hardening Vesta & Server
I have changed a few default ports, like for SSH.
That's not directly for security, but it prevents a lot bots to try access your server.
And for SSL you can go with CloudFlare. It's free and provides SSL for all your domains, just add SSL support to your domains in Vesta and create a certificate, and you're good to go!
Other than that, Vesta already comes with a lot of security instances, like Fail2Ban.
The rest is pretty much normal server configuration and security.
DigitalOceans has a lot of good tutorials and guides on security:
https://www.digitalocean.com/community/ ... =tutorials
That's not directly for security, but it prevents a lot bots to try access your server.
And for SSL you can go with CloudFlare. It's free and provides SSL for all your domains, just add SSL support to your domains in Vesta and create a certificate, and you're good to go!
Other than that, Vesta already comes with a lot of security instances, like Fail2Ban.
The rest is pretty much normal server configuration and security.
DigitalOceans has a lot of good tutorials and guides on security:
https://www.digitalocean.com/community/ ... =tutorials
Re: Hardening Vesta & Server
Hi Peterbrinck!
Thanks for your suggestions. I will take a look at the Digitalocean link.
If anybody have any other suggestions I will take in consideration and of course appreciate a lot!
Cheers!
Thanks for your suggestions. I will take a look at the Digitalocean link.
If anybody have any other suggestions I will take in consideration and of course appreciate a lot!
Cheers!
Re: Hardening Vesta & Server
You can add also additional password for VestaCP / phpmyadmin / pgadmin
Re: Hardening Vesta & Server
See viewtopic.php?f=14&t=14386#p60357 for adding an aditional layer to phpmyadmin/adminer. What I also tend to do after every default VestaCP setup -- where I don't include FTP server, as I use SFTP -- is indeed change SSH port 22 in /etc/sshd/sshd_config to something in the 1000s range. As well as the 8083 port to something else in /usr/local/vesta/nginx/conf/nginx.conf as perfectly outlined in this post: viewtopic.php?t=5126 ... and don't forget to change to the matching ports in https://X.X.X.X:8083/list/firewall/ prior to restarting any service.
CloudFlare's Flexible SSL is indeed great (especially when using a lot of subdomains). Been using that for 3+ years. However VestaCP supports Let's Encrypt out of the box now, which allows to enable Full SSL (or strict) in CloudFlare. Making the route between Cloudflare and the server secure too. note: do disable CloudFlare's DNS and HTTP proxy temporarily when you setup LetsEncrypt through VestaCP when applying for the certificates.
Anyway, I found this topic through the search, as I for one would like to have 2FA security too as a default feature on the VestaCP backend. Just to feel a little saver. Is that something that's on the feature list skurudo? Or is that something we can easily do ourselves? And if so, how? :o)
CloudFlare's Flexible SSL is indeed great (especially when using a lot of subdomains). Been using that for 3+ years. However VestaCP supports Let's Encrypt out of the box now, which allows to enable Full SSL (or strict) in CloudFlare. Making the route between Cloudflare and the server secure too. note: do disable CloudFlare's DNS and HTTP proxy temporarily when you setup LetsEncrypt through VestaCP when applying for the certificates.
Anyway, I found this topic through the search, as I for one would like to have 2FA security too as a default feature on the VestaCP backend. Just to feel a little saver. Is that something that's on the feature list skurudo? Or is that something we can easily do ourselves? And if so, how? :o)
Re: Hardening Vesta & Server
also consider:
* using .htaccess files for pre-authing with basic auth for phpmyadmin, roundcube, vesta-cp gui etc.
* using portknocking (knockd) to open/close services like sshd, vesta-cp gui, etc.
* doing file alteration checks by hashing critical system files with tripwire, aide, samhain
* using rkhunter to check for common rootkits (also has basic support for file alteration checks)
* using .htaccess files for pre-authing with basic auth for phpmyadmin, roundcube, vesta-cp gui etc.
* using portknocking (knockd) to open/close services like sshd, vesta-cp gui, etc.
* doing file alteration checks by hashing critical system files with tripwire, aide, samhain
* using rkhunter to check for common rootkits (also has basic support for file alteration checks)