Dedicated Server Setup Checklist

You’ve outgrown shared hosting and decided to start renting a server of your own. Since you’re still on a tight budget, you want an unmanaged server, where full responsibility for configuring and managing the server is yours. These are the steps I go through every time I set up a new server for web and database hosting. It doesn’t matter if you choose to use a control panel or not, these are the essential items for securing a Linux server and preparing it to host websites or web applications.

1. Create a Non-Root User

   When your server is provisioned, you’ll generally only be given an IP address and a root password. That’s all you need to SSH in to the server as the root user for the first time. It’s bad practice to log in as root for a few reasons — if you log in as a single user and only “su” to root access when needed, you’re less likely to accidentally damage your own system by deleting an important file or providing the wrong options or path to a command. It’s also harder for someone to attempt to break into your server by brute force if they can’t log in directly as root; they’ll need to find a way in as another user then additionally gain root access.

   The first thing you’ll want to do is create a user for yourself to log in as in the future. In most Linux distributions, that’s as easy as typing “useradd [username]” or “adduser [username]”. To set the password for your new user, type “passwd [username]” and you’ll be prompted to supply the new password.

2. Disable Root Logins Over SSH

   Now that you have a second user account, reconnect to your server as that user. Now you can use “su” to gain root access again and edit the SSH configuration file. To do so with the pico text editor, type “pico /etc/ssh/sshd_config”. You’re going to make two changes:

   Find the line Protocol 2, 1, uncomment it, and change it to Protocol 2. Find the line PermitRootLogin yes, uncomment it, and change it to PermitRootLogin no.

   Save the file (CTRL+X, Y) and quit your text editor. Now restart the SSH service (/etc/rc.d/init.d/sshd restart) and it’s no longer possible to log in as the root user over SSH.

3. Disable Telnet

   Telnet is another way to connect to your server, but unlike SSH, is not encrypted. As it’s less secure and just another opportunity for someone to attempt to gain access to your server, it’s best to simply disable the service. To do so, edit the telnet configuration with “pico /etc/xinetd.d/telnet”.

   Find the line that reads disable = no and change it to disable = yes.

   Now, restart the xinetd service with “/etc/rc.d/init.d/xinetd restart” and prevent telnet from starting on boot with “/sbin/chkconfig telnet off”.

4. Install APF (Advanced Policy Firewall)

   APF is a policy based firewall for Linux. It’s very simple to install and configure.

   1. Download it to your server by issuing “wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz“
   2. Extract the file with “tar -xzf apf-current.tar.gz”
   3. Enter the directory that was created, for example “cd apf-0.9.6″
   4. Install APF with the provided script “./install.sh”
   5. Edit the configuration file: “pico /etc/apf/conf.apf”

      Find the line USE_DS=”0″ and change it to USE_DS=”1″ to enable the DShield.org block list. Then you’ll want to edit the ports APF will allow traffic through on your server by finding and updating the following lines as appropriate:

      # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
      IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,8443,2222,123,3306,10000,8767,14534,51234″

      # Common ingress (inbound) UDP ports
      IG_UDP_CPORTS=”21,22,53,123,8767,14534,51234″

      # Egress filtering [0 = Disabled / 1 = Enabled]
      EGF=”1″

      # Common egress (outbound) TCP ports
      EG_TCP_CPORTS=”21,22,25,80,443,8443,43,2222,123,8767,14534,51234″

      # Common egress (outbound) UDP ports
      EG_UDP_CPORTS=”20,21,22,53,123,8767,14534,51234″

   6. Start up APF to test your settings. “/usr/local/sbin/apf -s”
   7. If everything looks right (you’re still connected, you can still access whatever ports you need to access, etc.) you can edit the configuration file again and change DEVM=”1″ to DEVM=”0″ to disable development mode.
   8. Restart APF and set it to start on reboot with “/sbin/chkconfig –level 2345 apf on”
5. Install BFD (Brute Force Protection)

   BFD is designed to work alongside APF by scanning your system’s logs for a large number of failed login attempts, and issuing the command to APF to deny that person’s IP address from connecting again. This protects you from attempts at “brute forcing” access to your system, such as repeatedly trying to log in to common account names using a dictionary of common passwords.

   To install BFD, follow the same procedure as above, using the archive at http://www.rfxnetworks.com/downloads/bfd-current.tar.gz.

   The configuration file for BFD is located at /usr/local/bfd/conf.bfd if you want to change any settings, including the ability to have a daily report of failed login attempts e-mailed to you.

6. Install mod_security

   mod_security is a module for the Apache web server that lets you filter out certain requests from being processed. This lets you stop many types of vulnerability exploits on your web server, especially those aimed at sending spam through web forms and issuing commands through known vulnerabilities in some PHP scripts.

   The download and installation process is slightly different depending on what version of Apache you’re running, but it only takes a few minutes to install in most cases. You can download and find documentation at the ModSecurity website.

7. Check Services are Up to Date

   While you just purchased your server, the software that came with it may already be out of date, and potentially vulnerable to newly discovered exploits. A good place to keep track of high risk vulnerabilities in the wild is the McAfee Threat Center.

   Many Linux distributions come with a program such as yum or up2date which you can use to check for updates to installed software on your system automatically. Make use of them on a regular basis and check with the websites of the service creators for updates and patches.

8. Tune Apache and MySQL

   For most people, Apache and MySQL will work relatively well out of the box. If you intend to put considerable load on the server, it’s worth doing a little tuning before you go live. There’s documentation for tuning the settings of both apache and mysql on their websites, and an excellent blog at mysqlperformanceblog.com.

   If you’re going to be running PHP applications, a byte code cache such as APC can significantly boost performance as well.

Follow this checklist to get up and running, ready to host your websites. Remember that managing a server is an ongoing process. You need to keep up with software updates, vulnerabilities, and performance bottlenecks on a regular basis to keep things running smoothly.