Securing a VPS
November 13, 2010 4:46 PM Subscribe
I have a Linode VPS and two domain names pointing to it. I have taken very few measures to secure it. How did you secure your VPS?
My experience in this particular area is almost naught, so any corrections of my misunderstandings are extremely welcome, as well as all words of wisdom. I'm very eager to learn!
The VPS is currently running Ubuntu 10.04. I'm using Shorewall as the firewall, but still not 100% sure if it's configured correctly.
My most major concern has to do with password authentication and SSL certificates. I'm hosting a WordPress blog. Administrator access is through the web interface where I login with a password on a web form.
1. Stupid as it sounds, am I sending my password across the Internet in plain text?
2. How necessary is an SSL certificate for preventing things other than MITM attacks?
3. Do I need a separate SSL certificate for each domain name?
4. What certificate authority would you recommend? Since this is for personal use, I'm looking for a good balance between cost and how well supported it is by the major browsers. I'm still optimizing for cost though.
I'd also like this to be a completely secure as a mail server in the future, if you have any tips relating to that as well.
5. Given that it could possibly already be compromised, even if I manage to secure the VPS properly this time around, what steps can I take to 'uncompromise' it? Would a system reboot be enough in most cases? Anything short of wiping the system is okay.
Thanks!
My experience in this particular area is almost naught, so any corrections of my misunderstandings are extremely welcome, as well as all words of wisdom. I'm very eager to learn!
The VPS is currently running Ubuntu 10.04. I'm using Shorewall as the firewall, but still not 100% sure if it's configured correctly.
My most major concern has to do with password authentication and SSL certificates. I'm hosting a WordPress blog. Administrator access is through the web interface where I login with a password on a web form.
1. Stupid as it sounds, am I sending my password across the Internet in plain text?
2. How necessary is an SSL certificate for preventing things other than MITM attacks?
3. Do I need a separate SSL certificate for each domain name?
4. What certificate authority would you recommend? Since this is for personal use, I'm looking for a good balance between cost and how well supported it is by the major browsers. I'm still optimizing for cost though.
I'd also like this to be a completely secure as a mail server in the future, if you have any tips relating to that as well.
5. Given that it could possibly already be compromised, even if I manage to secure the VPS properly this time around, what steps can I take to 'uncompromise' it? Would a system reboot be enough in most cases? Anything short of wiping the system is okay.
Thanks!
Best answer: 1. yes. Unless you're using HTTPS to log in. You should definitely use HTTPS for admin purposes if possible.
2. very. or not really. Depends on how paranoid you are. How many other internet sites do you use where you login without HTTPS? I'll bet most of them except banking, mail, etc. But it's easy to set up self signed certs and will give peace of mind for the admin access especially if you connect over wireless.
3. no, but yes. If you can make one, you can make two. And it gives the browser one less thing to complain about if the name in the cert matches the hostname.
4. Forget paying for a cert for personal use. Unless you want your users to login securely without their browser complaining there's no reason to buy one. If users are just reading your blog or even posting comments unless you really need all that to be encrypted for security why bother?
Find a simple HOWTO for creating self signed certs and make one for each domain. Get it working and if you think somebody might have intercepted your work in the few minutes it took for you to start the server and connect then you can check the fingerprint manually. Once your browser complains and you tell it to use the cert anyway, you can pop up a view cert info window and check the cert info (there should be a sha1 or sha-356 fingerprint) which you can compare to the ones on the server.
posted by zengargoyle at 6:42 PM on November 13, 2010
2. very. or not really. Depends on how paranoid you are. How many other internet sites do you use where you login without HTTPS? I'll bet most of them except banking, mail, etc. But it's easy to set up self signed certs and will give peace of mind for the admin access especially if you connect over wireless.
3. no, but yes. If you can make one, you can make two. And it gives the browser one less thing to complain about if the name in the cert matches the hostname.
4. Forget paying for a cert for personal use. Unless you want your users to login securely without their browser complaining there's no reason to buy one. If users are just reading your blog or even posting comments unless you really need all that to be encrypted for security why bother?
Find a simple HOWTO for creating self signed certs and make one for each domain. Get it working and if you think somebody might have intercepted your work in the few minutes it took for you to start the server and connect then you can check the fingerprint manually. Once your browser complains and you tell it to use the cert anyway, you can pop up a view cert info window and check the cert info (there should be a sha1 or sha-356 fingerprint) which you can compare to the ones on the server.
# openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -fingerprint -noout SHA1 Fingerprint=4B:E5:C2:12:C6:45:71:5A:81:83:A7:07:BF:2B:9A:F5:14:2E:E8:B0 # openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -fingerprint -noout -sha256 SHA256 Fingerprint=BC:C6:00:CE:DF:87:9F:51:29:7A:40:B9:91:59:9E:BC:B4:C6:D9:30:CA:6E:7B:31:01:54:69:FB:BB:D6:06:77Once you verify that nobody snuck in and did MITM and gave you a fake cert you're done.
posted by zengargoyle at 6:42 PM on November 13, 2010
Root logins should be disabled over ssh by default, worth checking though. You may also benefit from running denyhosts to block brute force ssh attacks. Make sure you stay on top of WordPress upgrades - old WordPress installs are typically easy pickings for crackers. Keep the number of things you have installed to a minimum - no outdated phpMyAdmin installations left laying around, no random daemons running.
If the system is compromised, which I doubt it is, rebooting won't fix anything. You would need to re-install from scratch and then patch the vulnerability. Reason #1 to keep good incremental backups (I recommend rsync.net with rsnapshot).
I would not recommend running a mail server until you have a better understanding of the system (there are a LOT of fantastic guides out there so if you are willing to put in some reading time you can can easily get to that point) since a vulnerable mailserver is a high value target for spamers to control.
Running your own Internet facing VPS is kind of jumping in and then learning to swim but you'll probably be fine. You can always turn it off and re-install if things go poorly. It might be worthwhile to play with an Ubuntu install on your home machine for a more low-stakes sandbox.
One other thing, be aware that a lot of web compromises take steps to conceal themselves from the webmaster - Google "oem software site:.edu" to see plenty of examples of compromised sites with oblivious owners. Search for your domains in Google to see how they appear to visitors, which may not be the same way they appear to you.
posted by ChrisHartley at 6:48 PM on November 13, 2010
If the system is compromised, which I doubt it is, rebooting won't fix anything. You would need to re-install from scratch and then patch the vulnerability. Reason #1 to keep good incremental backups (I recommend rsync.net with rsnapshot).
I would not recommend running a mail server until you have a better understanding of the system (there are a LOT of fantastic guides out there so if you are willing to put in some reading time you can can easily get to that point) since a vulnerable mailserver is a high value target for spamers to control.
Running your own Internet facing VPS is kind of jumping in and then learning to swim but you'll probably be fine. You can always turn it off and re-install if things go poorly. It might be worthwhile to play with an Ubuntu install on your home machine for a more low-stakes sandbox.
One other thing, be aware that a lot of web compromises take steps to conceal themselves from the webmaster - Google "oem software site:.edu" to see plenty of examples of compromised sites with oblivious owners. Search for your domains in Google to see how they appear to visitors, which may not be the same way they appear to you.
posted by ChrisHartley at 6:48 PM on November 13, 2010
Best answer: 1. Yes.
2. SSL only prevents MITM attacks. And even then, it's dependent on trusting DNS and browsers, etc. Anything else SSL protects you against is accidental.
3. Yes. Technically you can get a wildcard, ie "*.pwnguin.net", but I'm assuming you have "attente.com" and "sideproject.com" and thus you won't be able to get a wildcard for that without proving you own .com (you don't).
4. Startcom offers free SSL certs, as does Comodo. Some obscure browsers may not trust them, but Firefox seems to. Word of warning: DO NOT LET STARTCOM GENERATE A KEYPAIR FOR YOU.
5. Rootkits are common on Unix, and fairly sophisticated. Detecting them is difficult but technically possible. You would need to upload a rootkit detection .iso to Linode and use that to scan your VPS disk image at rest. I don't know of anything that actually does this, but it's theoretically possible.
IMO, there's three steps you need to take to better secure your VPS:
1. Install fail2ban, which maps login failures to bans. Or install ssh keys and disable password authentication to ssh.
2. Install apticron, and configure it to mail you when package upgrades are available.
3. KEEP UP TO DATE ON WORDPRESS. Most UNIX worms target systems that have been neglected. There's countless entries in my apache logs that look like:
"61.19.255.14 - - [08/Nov/2010:17:23:18 -0600] "GET /roundcubemail/README HTTP/1.1" 404 471 "-" "Morfeus strikes again."
There's occasionally similar ones for popular blogs like WP. In 2004 I got hit by an XML-RPC bug in PHP that I hadn't patched, and the payload was serving out paypal scams.
There's also a few steps you can take to secure your general browser experience:
1. Bookmark the https login urls directly. Your website, your bank, facebook, etc. Most all of these deliver the HTML forms over HTTP, which allows a MITM to change the submission URL to non HTTPS.
2. Remove http login urls from your browser history.
3. Install firefox plugins like https-everywhere.
posted by pwnguin at 6:54 PM on November 13, 2010
2. SSL only prevents MITM attacks. And even then, it's dependent on trusting DNS and browsers, etc. Anything else SSL protects you against is accidental.
3. Yes. Technically you can get a wildcard, ie "*.pwnguin.net", but I'm assuming you have "attente.com" and "sideproject.com" and thus you won't be able to get a wildcard for that without proving you own .com (you don't).
4. Startcom offers free SSL certs, as does Comodo. Some obscure browsers may not trust them, but Firefox seems to. Word of warning: DO NOT LET STARTCOM GENERATE A KEYPAIR FOR YOU.
5. Rootkits are common on Unix, and fairly sophisticated. Detecting them is difficult but technically possible. You would need to upload a rootkit detection .iso to Linode and use that to scan your VPS disk image at rest. I don't know of anything that actually does this, but it's theoretically possible.
IMO, there's three steps you need to take to better secure your VPS:
1. Install fail2ban, which maps login failures to bans. Or install ssh keys and disable password authentication to ssh.
2. Install apticron, and configure it to mail you when package upgrades are available.
3. KEEP UP TO DATE ON WORDPRESS. Most UNIX worms target systems that have been neglected. There's countless entries in my apache logs that look like:
"61.19.255.14 - - [08/Nov/2010:17:23:18 -0600] "GET /roundcubemail/README HTTP/1.1" 404 471 "-" "Morfeus strikes again."
There's occasionally similar ones for popular blogs like WP. In 2004 I got hit by an XML-RPC bug in PHP that I hadn't patched, and the payload was serving out paypal scams.
There's also a few steps you can take to secure your general browser experience:
1. Bookmark the https login urls directly. Your website, your bank, facebook, etc. Most all of these deliver the HTML forms over HTTP, which allows a MITM to change the submission URL to non HTTPS.
2. Remove http login urls from your browser history.
3. Install firefox plugins like https-everywhere.
posted by pwnguin at 6:54 PM on November 13, 2010
This thread is closed to new comments.
As far as SSL, don't bother buying one, just generate your own certificate and set your browser to accept it.
posted by XMLicious at 4:55 PM on November 13, 2010