Dedicated Server Setup Checklist

You’ve outgrown shared hosting and decided to start renting a server of your own. Since you’re still on a tight budget, you want an unmanaged server, where full responsibility for configuring and managing the server is yours. These are the steps I go through every time I set up a new server for web and database hosting. It doesn’t matter if you choose to use a control panel or not, these are the essential items for securing a Linux server and preparing it to host websites or web applications.

  1. Create a Non-Root User

    When your server is provisioned, you’ll generally only be given an IP address and a root password. That’s all you need to SSH in to the server as the root user for the first time. It’s bad practice to log in as root for a few reasons — if you log in as a single user and only “su” to root access when needed, you’re less likely to accidentally damage your own system by deleting an important file or providing the wrong options or path to a command. It’s also harder for someone to attempt to break into your server by brute force if they can’t log in directly as root; they’ll need to find a way in as another user then additionally gain root access.

    The first thing you’ll want to do is create a user for yourself to log in as in the future. In most Linux distributions, that’s as easy as typing “useradd [username]” or “adduser [username]”. To set the password for your new user, type “passwd [username]” and you’ll be prompted to supply the new password.

  2. Disable Root Logins Over SSH

    Now that you have a second user account, reconnect to your server as that user. Now you can use “su” to gain root access again and edit the SSH configuration file. To do so with the pico text editor, type “pico /etc/ssh/sshd_config”. You’re going to make two changes:

    Find the line Protocol 2, 1, uncomment it, and change it to Protocol 2. Find the line PermitRootLogin yes, uncomment it, and change it to PermitRootLogin no.

    Save the file (CTRL+X, Y) and quit your text editor. Now restart the SSH service (/etc/rc.d/init.d/sshd restart) and it’s no longer possible to log in as the root user over SSH.

  3. Disable Telnet

    Telnet is another way to connect to your server, but unlike SSH, is not encrypted. As it’s less secure and just another opportunity for someone to attempt to gain access to your server, it’s best to simply disable the service. To do so, edit the telnet configuration with “pico /etc/xinetd.d/telnet”.

    Find the line that reads disable = no and change it to disable = yes.

    Now, restart the xinetd service with “/etc/rc.d/init.d/xinetd restart” and prevent telnet from starting on boot with “/sbin/chkconfig telnet off”.

  4. Install APF (Advanced Policy Firewall)

    APF is a policy based firewall for Linux. It’s very simple to install and configure.

    1. Download it to your server by issuing “wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
    2. Extract the file with “tar -xzf apf-current.tar.gz”
    3. Enter the directory that was created, for example “cd apf-0.9.6”
    4. Install APF with the provided script “./install.sh”
    5. Edit the configuration file: “pico /etc/apf/conf.apf”

      Find the line USE_DS=”0″ and change it to USE_DS=”1″ to enable the DShield.org block list. Then you’ll want to edit the ports APF will allow traffic through on your server by finding and updating the following lines as appropriate:

      # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
      IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,8443,2222,123,3306,10000,8767,14534,51234″

      # Common ingress (inbound) UDP ports
      IG_UDP_CPORTS=”21,22,53,123,8767,14534,51234″

      # Egress filtering [0 = Disabled / 1 = Enabled]
      EGF=”1″

      # Common egress (outbound) TCP ports
      EG_TCP_CPORTS=”21,22,25,80,443,8443,43,2222,123,8767,14534,51234″

      # Common egress (outbound) UDP ports
      EG_UDP_CPORTS=”20,21,22,53,123,8767,14534,51234″

    6. Start up APF to test your settings. “/usr/local/sbin/apf -s”
    7. If everything looks right (you’re still connected, you can still access whatever ports you need to access, etc.) you can edit the configuration file again and change DEVM=”1″ to DEVM=”0″ to disable development mode.
    8. Restart APF and set it to start on reboot with “/sbin/chkconfig –level 2345 apf on”
  5. Install BFD (Brute Force Protection)

    BFD is designed to work alongside APF by scanning your system’s logs for a large number of failed login attempts, and issuing the command to APF to deny that person’s IP address from connecting again. This protects you from attempts at “brute forcing” access to your system, such as repeatedly trying to log in to common account names using a dictionary of common passwords.

    To install BFD, follow the same procedure as above, using the archive at http://www.rfxnetworks.com/downloads/bfd-current.tar.gz.

    The configuration file for BFD is located at /usr/local/bfd/conf.bfd if you want to change any settings, including the ability to have a daily report of failed login attempts e-mailed to you.

  6. Install mod_security

    mod_security is a module for the Apache web server that lets you filter out certain requests from being processed. This lets you stop many types of vulnerability exploits on your web server, especially those aimed at sending spam through web forms and issuing commands through known vulnerabilities in some PHP scripts.

    The download and installation process is slightly different depending on what version of Apache you’re running, but it only takes a few minutes to install in most cases. You can download and find documentation at the ModSecurity website.

  7. Check Services are Up to Date

    While you just purchased your server, the software that came with it may already be out of date, and potentially vulnerable to newly discovered exploits. A good place to keep track of high risk vulnerabilities in the wild is the McAfee Threat Center.

    Many Linux distributions come with a program such as yum or up2date which you can use to check for updates to installed software on your system automatically. Make use of them on a regular basis and check with the websites of the service creators for updates and patches.

  8. Tune Apache and MySQL

    For most people, Apache and MySQL will work relatively well out of the box. If you intend to put considerable load on the server, it’s worth doing a little tuning before you go live. There’s documentation for tuning the settings of both apache and mysql on their websites, and an excellent blog at mysqlperformanceblog.com.

    If you’re going to be running PHP applications, a byte code cache such as APC can significantly boost performance as well.

Follow this checklist to get up and running, ready to host your websites. Remember that managing a server is an ongoing process. You need to keep up with software updates, vulnerabilities, and performance bottlenecks on a regular basis to keep things running smoothly.

  • http://www.lessthanhumble.com/ Robert Norton

    Another thing that might be worth adding is load testing. This is definitely something you should be concerned about if you’re leasing a server which potentially (and more than likely) is running on used hardware.

    There’s some great applications out there for doing this, including memtest (for memory testing) and drive fitness test (developed by Hitachi):
    http://www.hgst.com/hdd/support/download.htm

    Just my two cents at least, :-).

  • http://www.CleverTools.com Jason

    Wow, I am glad I work part time at a hosting company who handles all the server stuff for me and gives me a great deal for my web projects. Seems like a lot of extra hard work 😉 Beautiful writeup Dan!

  • http://#studio-visualquakenet john

    Nice. Check out my media company #studio-visual @ Quakenet

  • Dan

    john: Somehow I think an IRC channel isn’t the best way to advertise your company. I doubt 90% of people who see a comment like that even know that’s an IRC channel and network, or even what IRC is.

  • Ed

    Dan I like your information but I think I made a mistake the tar did not work for me until I put tar xvzf. Then when I ran it I got a lot of errors
    How do you run the pico that did not work. Can you give more detail and can you also comment on cpanel and how to load file through cpanel. Feel free to email me directly with those tips.

  • Frank

    I tried what you had written up but when I logged in with the new user I created, I couldn’t exit the sshd_config file. I could with the root access but not with this new user… you may want to clarify as to how to set permissions first because if you don’t and you disable root login you are in trouble

  • Dan

    Frank, you don’t want to be changing permissions on anything. When you need root access to perform a task like that, while logged in as your normal user, you use “su” to become the super user temporarily. This is only a brief tutorial on basic security tasks, not Linux use itself. Unfortunately, if you don’t know the basics of using the operating system, you shouldn’t be administering an internet-facing server yourself.

  • http://cllct.com Secret Owl

    Oh man – I’m so lost. I knew I shouldn’t have gone with an unmanaged host just because I have putty….

    Anyway, thank you! I’m slowly but surely learning how to figure out how to figure out what I’m doing, haha.

  • http://digitalblogindia.in Kunal

    Great tips. Wonder if you anyone could take this further and show us how to setup WHM, Cpanel and antiviruses, rootkits etc.

  • http://www.dangrossman.info Dan

    Well, I’m not a web host, so I have no need to install things like WHM or cPanel. Control panels can be very expensive, while editing Apache configuration and users yourself is actually pretty simple.

  • Keeton

    Hi Dan,

    Some good tips here – thank you! Do you recommend a hardware firewall in front of your server, or do you rely on Advanced Policy Firewall exclusively?

  • http://freeplaystationcodes.com/ Josh

    Im planning on buying a dedicated server, do you happene to know any places which sell them for cheap but are efficient? Thanks

  • Pingback: eddie()

  • Pingback: evan()

  • Pingback: casey()