With the recent influx in security vulnerabilities, exploits, and breaches, it can be arduous to constantly patch and update systems properly, especially when you’re the only one managing a set of systems. In my recent Freelance work, I’ve discovered that many individuals opt for support and maintenance at intervals much further than recommended, and systems often go unpatched/restarted for months, unless an issue should arise. Because of this, many of these known exploits remain unpatched and create a vulnerability for months/years in some instances.

While there are many ways to address this issue, some more known than others, I recommend starting with updating your operating system to a flavor of something which still receives full-support. This makes patching much easier, and provides you with an updated environment to work in. I’m personally a fan of Ubuntu 18.04/20.04, and will use whichever version is supported by the software packages I’ll be utilizing. Some software packages require older versions of an operating system to be used, ensure that some level of patching is still available by the distribution, although it is recommended to utilize a version which has full support.

If you’re required to utilize an older version of an operating system for a specific piece of software incompatible with newer versions, you’ll need to focus on security. CentOS 7, for example, stops receiving full support after Q4 of 2020. Many software packages such as cPanel (Web Hosting) and SolusVM (Virtualization) contain security updates, since some have not yet updated for CentOS 8. We recommend contacting any vendors and asking for an update to the latest OS, in some cases you have to make minor modifications to settings, or load in additional modules for compatability.

Getting started: Commonly used ports are often subject to port scanning and bruteforce attacks. Using programs bundled in Kali Linux, such as Metasploit, you can gain access to systems quite easily using their built-in CVE exploits/payloads. SNMP, SSH, and shell based attacks are quite common and easily configured, making it essential to not only patch, but make it hardened, should a new vulnerability be discovered. We can do this by installing modules such as Fail2Ban and KernelCare, as well as changing ports for services such as SSH, FTP, and SFTP. An alternative option is to utilize a VPN to connect into your server, and having those services only accessible via VPN locally. You should also block access to unused ports, such as MySQL, and selectively allow IPs to access those ports.

Network/Access Control

By utilizing a VPN such as PrintUnl, OpenVPN, or L2TP over IPSec, you can block commonly exploited services such as SSH, FTP, and SFTP on public interfaces. You’ll have to utilize a VPN everytime you wish to access those services, or setup an On-Demand VPN with your computer or router for constant access. Should that not be feasible for your environment, you can keep these public facing, however should still consider offloading them to non-standard ports, to prevent many automated scanners. SSH will commonly use port 22 and 2022, so pick something out of the range commonly used by Nmap and other scanners. You can find a useful guide for that here. This applies for FTP too.

If renting a dedicated server/VPS, purchase an additional IP address or block to be dedicated for management. If a range, ensure it isn’t utilized for any public facing content, and instead use it for management and administrative services only. You may have one IP included with your service, and you can use this IP and use the range instead for your services. It ultimately is up to you on how you’d like to set this up, but ensure no neighboring addresses share the same range as your management services. You can move SSH, FTP, and SFTP to this IP address, making it a management IP address. Additionally you can restrict Apache and public facing content to only be accessible via the IP you specify. This makes SSH and services alike hidden and closed on public-facing addresses, making those types of vulnerabilities much more difficult.

Another service which you may consider using is CloudFlare, which secures your websites against many vulnerabilities by acting as a CDN/Proxy, which can accelerate your website while providing security. We recommend this for websites, as this protects you against DDoS attacks as well as common SQL injections. It can also provide you with an SSL!

MySQL, Daemons, and other ports which don’t need public access should be denied using UFW, IPTables, or another firewall utility. You can selectively whitelist IPs using UFW to allow only authorized access into MySQL and daemons running on your server(s). JavaPipe also posted a useful article using IPTables to prevent attacks against your server, and rate-limit the number of concurrent connections. These can be useful to prevent a single IP address from brute-forcing at high-speed.

Server Patching

KernelCare is advertised as a patching utility for Linux servers. One unique feature of KernelCare is it’s ability to do live patching, without the need to restart a server. It does cost between $3.95 – $5.95 USD per month, but provides peace of mind when it comes to server patching, including offline servers. Another utility which can be used is Fail2Ban, which is a free utility. Fail2Ban can protect SSH and Apache2 from concurrent failed authentication attempts, by blocking them rather than allowing them to consume additional server resources and continuously brute-force the system. There are many articles to get you started, just make sure you find one relevant to your operating system and service you wish to protect.

SSH Keys

By now, everyone should know to stop using passwords with SSH and migrate to SSH Keys. SSH Keys provide a much higher level of security, and the private key is never sent to the server, making it much more difficult for a hacker to gain access to a root/administrative user.

This is by no way a fully comprehensive list to ensure security, but this will certainly make it much more difficult for people to discover and access those services. By utilizing some of the above, you’ve hardened your system against attacks. Make sure to check your system frequently for operating system updates, even when using Kernel Care.