VPS Hosting: 5 Things to do with your new VPS

So you’ve bought yourself a shiny new VPS, but have no idea what to do with it. Well, you’ve come to the right place!

We’re going to discuss the top 5 things to do with your new VPS, and we’re going to show you how to apply these 5 points to your Ubuntu, or CentOS VPS. I chose Ubuntu and CentOS because they are the most commonly used Linux server environments for running profit-based systems. This information is available thanks to TyIzaeL over at /r/linux. You can find the full 2015 survey (as well as the 2013 and 2014 editions) at his blog; https://brashear.me/blog/2015/08/24/results-of-the-2015-slash-r-slash-linux-distribution-survey/

 

1. Update Kernel/Software, Immediately.

First things first, your new VPS hosting package is most likely going to be built from a template, and this template is probably not going to be current in terms of software and kernel updates. We need to fix that! Not keep your VPS updated can cause potential security holes in the kernel and packages to remain exposed to internet.

 

CentOS 6.7/7.1

yum -y upgrade
shutdown -r now

Ubuntu 12.04/14.04/15.04

sudo apt-get update && sudo apt-get -y dist-upgrade
shutdown -r now

 

Now, we can muck around with different kernels, and different security implements, but this article is being written as more of a general “beginners guide to VPS”. I definitely don’t want to be responsible for anyone breaking GRUB or anything like that ^_^. So stay tuned for that fun, scary stuff in later, more detailed write-ups!

 

2. Install Important and Useful Packages

Now that we’ve updated your VPS to the latest kernel and software available, we can begin to install some packages to make your life easier, help harden your VPS against attacks, and give you greater insight on what your VPS is doing.

We’re going to install the below packages. Some of these are personal favorites, some are good to have around, and some should probably come already installed, but alas.

ntp – Network Time Protocol daemon – Honestly, I don’t understand why this isn’t installed and activated with EVERY distro. There are too many reasons to list why you should want your systems time to be accurate.

wget – World Wide Web + Get – I promise you’ll be using this many times over the course of your VPS administration. Simply, it pulls files from the Internet! Neat!

nano – Probably the most easy-to-use editor out there. You’ll be using nano to edit configurations, and all sorts of files. Some people might bash me for even suggesting an opposing editor to vi, but let’s face it. Nano is easy.

htop – I have yet to figure out what the H stands for, but this utility extends on the functionality of the top command. It’s cleaner, and you can custom define some pretty cool settings to help you quickly monitor usage stats.

iotop – Simply, Input/Output top. This utility allows you to monitor which processes on your system are using up the hard disks. Very useful if you’re trying to diagnose why your system is running slow

iptraf – I love iptraf, it’s just… so cool. iptraf allows you to monitor your network interfaces in a sweet graphical interface.

ncdu – NCurses Disk Usage – ahh, another one of my favorites. This nifty little command will scan your system, populate a list of every directory you want it to, and spit out a VERY human-readable breakdown of your systems disk usage.

mtr – Another network diagnostics utility. mtr allows you to aggregate UDP or ICMP pings/echos, in order to generate a report on any given route your system takes and the latency of said route.

man – Manuals – Does this need an explanation? Very handy to have installed if you need to quickly check out how to use a specific command or utility.

 

CentOS 6.7/7.1

Some of these packages are not available in the base CentOS repositories. Check out our article on how to Install the EPEL and Remi Repositories before running the below command. Otherwise, you won’t be able to install some of these goodies! :(

 

Time to install the goodness:

yum -y install wget nano ntp iotop iptraf man mtr htop ncdu gcc glibc-static

Set the correct timezone for your VPS server (DO NOT COPY/PASTE: make sure you put YOUR timezone into the command):

mv /etc/localtime /etc/localtime.bak
ln -s /usr/share/zoneinfo/YOUR/TIMEZONE /etc/localtime

Now let’s get an accurate time for our VPS and make sure it stays accurate:

ntpdate pool.ntp.org
service ntpd start
chkconfig ntpd on

 

Ubuntu 12.04/14.04/15.04

Thankfully, Ubuntu and apt-get are pretty good about having the latest and greatest in terms of software already in their base repository. Most of these packages should be pre-installed, but i’ve included them just in case.

 

Simply run the below command, and you’ll be good to go:

sudo apt-get install wget nano ntp iotop iptraf man mtr htop ncdu gcc glibc-static

Make sure your timezone is correct. Ubuntu provides a neat utility to make this process easy:

dpkg-reconfigure tzdata

Now you can start NTP:

ntpdate pool.ntp.org
/etc/init.d/ntp start

 

3. Harden the OS, Secure SSH

The next step we need to take, is to harden your VPS server against possible attacks and other potential issues. We’re going to be securing SSH, enabling automatic yum and apt-get updates, and installing CSF/LFD, linux-maldetect, rkhunter, chkrootkit, and clamav.

Now I know that seems like a lot to do, but trust me, it’ll be quick, painless, and totally worth it.

 

Securing the OpenSSH Server

CentOS 6.7/7.1 and Ubuntu 12.04/14.04/15.04

Edit the SSH configuration file:

nano /etc/ssh/sshd_config

Find the below lines, and configure them like below. (MAKE SURE YOU SET YOUR OWN PORT!! DONT COPY/PASTE!)

Port 12345
PermitRootLogin no
HostKey /etc/ssh/ssh_host_rsa_key
RSAAuthentication yes
PubkeyAuthentication yes

 

Enable Automatic Updating

CentOS 6.7/7.1

Install the yum-cron package to enable automatic updates:

yum -y install yum-cron
service yum-cron start
chkconfig yum-cron on

 

Ubuntu 12.04/14.04/15.04

This is a work in progress. There are a few ways to do it, and they’re not quite the simplest methods.

Installing a GOOD Firewall (ConfigServer Firewall)
ConfigServer Firewall (commonly known as CSF) is a Stateful Packet Inspection (SPI) firewall, and a Intrusion Detection System (IDS) rolled into one. It’s a very powerful utility to have, and makes managing iptables MUCH easier. Both CentOS and Ubuntu come packaged with iptables by default, and process for installing and configuring CSF will be the same on both.

I highly recommend reading the documentation on how to further tweak/configure the CSF installation. You can find at at http://download.configserver.com/csf/readme.txt

 

CentOS 6.7/7.1 and Ubuntu 12.04/14.04/15.04

First, we need to make sure the libwww Perl module is installed:

(Ubuntu)

apt-get -y install libwww-perl

(CentOS)

yum -y install perl-libwww-perl

Now, we can go ahead and install CSF:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

CSF will try to automatically add your local IP address to its whitelist, as well as automatically allow any custom SSH ports you have configured. Having said that, we still need to enter the configuration files and ensure that only the ports you want are open, and that both CSF and LFD are not in “TESTING” mode.

nano /etc/csf/csf.conf

Find the following lines in the configuration file, and modify them to suite your needs:

TCP_*, UDP_*, IPV6, TCP6_*, UDP6_*

After you configure your ports, find the below line and set it like so:

TESTING = "0"

Now restart CSF and LFD:

/etc/init.d/csf restart
/etc/init.d/lfd restart

 

Installing rootkit scanners (rkhunter and chkrootkit)

We’re installing both of these rootkit scanners because, why not? One may detect something that the other doesn’t, and that’s a plus in our book. After installation, we’ll set up cron scripts to keep them updated, have them run nightly, and send out alerts if anything is detected.

 

CentOS 6.7/7.1 and Ubuntu 12.04/14.04/15.04

Install rkhunter

Run the following to get rkhunter downloaded, extracted, and installed:

cd /usr/src
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
tar -xzvf rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
sh installer.sh --install

Create the nightly cron script:

nano /usr/local/bin/rkhunternightly
chmod 755 /usr/local/bin/rkhunternightly

Add the following into the file (MAKE SURE TO CHANGE THE EMAIL!!):

#!/bin/sh
( /usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /usr/bin/mail -s "rkhunter Report - `date +%D`" admin@yourdomain.com

Automate rkhunter via crontab:

sudo crontab -u root -e

Add the following line to the root crontab:

0 1 * * * /usr/local/bin/rkhunterscript -c --cronjob

That will configure rkhunter to scan at 1:00AM nightly, and send you an email with the results.

 

Install chkrootkit

Download, extract, and install chkrootkit:

cd /usr/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xzvf chkrootkit.tar.gz
cd chkrootkit-0.50
make sense

Automate chkrootkit via crontab:

sudo crontab -u root -e

Add the following to the crontab (MAKE SURE TO CHANGE THE EMAIL!!):

10 1 * * * /usr/src/chkrootkit-0.50/chkrootkit 2>&1 | mail -s "chkrootkit Report - `date +%D`" admin@yourdomain.com)

That will configure chkrootkit to scan at 1:10AM nightly, and send you an email with the results. We’ve offset the time here to give rkhunter a chance to finish running before chkrootkit starts.

 

Installing Virus and Malicious File Scanners (clamav and linux-maldet)

Install ClamAV

ClamAV is a decent virus scanner for Linux systems. I’ve honestly never had ClamAV register a hit, but we want to install it anyways for a couple of reasons. One being that it never hurts to have another eye on things, and two, we’re going to need the clamscan engine for our final piece of security software.

 

CentOS 6.7/7.1

Install the ClamAV daemon and set it to start on boot:

yum -y install clamav clamd
chkconfig clamd on
/etc/init.d/clamd start
freshclam

Edit the crontab for root:

sudo crontab -u root -e

Add the following to schedule ClamAV to run nightly, and send us a report:

0 2 * * * clamscan -ri --exclude-dir=^/sys\|^/proc\|^/dev / | mail -s "ClamAV Report - `date +%D`" email@yourdomain.com

 

Ubuntu 12.04/14.04/15.04

Install the ClamAV daemon and set it to start on boot:

apt-get -y install clamav clamav-daemon
/etc/init.d/clamav-freshclam start
/etc/init.d/clamav-daemon start
freshclam

Edit the crontab for root:

sudo crontab -u root -e

Add the following to schedule ClamAV to run nightly, and send us a report:

0 2 * * * clamscan -ri --exclude-dir=^/sys\|^/proc\|^/dev / | mail -s "ClamAV Report - `date +%D`" email@yourdomain.com

 

Install Linux Malware Detect (otherwise known as LMD, maldet, linux-maldet)

maldet is a powerful piece of software that provides deep scans of your system. We won’t go into the configuration details in this article, as that is being saved for another write-up. By default, when ClamAV is installed on a system, linux-maldet will use the clamscan engine to significantly speed up it’s scanning times.

 

CentOS 6.7/7.1 and Ubuntu 12.04/14.04/15.04

Install maldet:

cd /usr/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xzvf maldetect-current.tar.gz
cd maldetect-1.5
sh install.sh

Edit the maldet configuration file, to configure email reports

nano /usr/local/maldetect/conf.maldet

Turn email reporting on, and set your email (MAKE SURE YOU CHANGE THE EMAIL!!):

email_alert="1"
email_addr="you@domain.com"

 

4. Configuring Monitoring

There are a ton of different services we can and should configure to monitor our system, both locally, and remotely. I’m not going to delve into setting up the more complex systems in this article, but stay tuned for those future docs.

osquery
linux-dash
Cacti
Nagios
MRTG

The quickest and easiest to install and configure from the bunch are linux-dash and MRTG. If you want some quick insights into your system, with some trend graphing to boot, I recommend getting those two installed first. Ideally, you want your monitoring appliances to be on a separate server and network. In case something happens to your VPS, you wouldn’t know about it if these packages were installed locally.

 

5. Have Fun with your VPS!

Now that we’ve got all the boring security stuff out of the way, you’ve reached the most critical step.

At this point, you can install Apache, MySQL, and PHP to turn your VPS into a webserver, or you can instal BIND or PowerDNS and turn it into a DNS box, you can even aggregate your syslogs from other servers and use your VPS as a monitoring/reporting server. There are so many applications for a VPS, that even trying to list them all would be pointless. Just have fun with your VPS.

I want to know what you guys think. Drop a comment below and let me know what you would do differently, or what you would do with your personal VPS.