the_title();

Securing your Plesk based VPS with 34SP.com

If you are using our VPS hosting here at 34SP.com or are considering a VPS server, this blog post may be of great help. Although we have covered some points of this on our forums and in our support articles putting this into a single post may benefit some users. One of the most common issues we see at 34SP.com is servers being abused via brute force logins on sshd against the ‘root’ user.

If you looked in your /var/log/messages file and seen something like this – then this is happening too you:

Sep 7 21:23:02 HOSTNAME sshd(pam_unix)[23860]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
Sep 7 21:23:02 HOSTNAME sshd(pam_unix)[23861]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root
Sep 7 21:23:07 HOSTNAME sshd(pam_unix)[23917]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root

There are a number of steps you can take to aid in stopping someone from ‘brute forcing’ your password.

But the number one thing to do is to make sure your VPS key packages are upto date as security fixes are released on a regular basis.

We recommend to people that they use the atomic repository when using a plesk server, this is maintained by the original developer of plesk and as such the compatibility with plesk is very good and should cause no issues.

This following few lines of shell commands will update your plesk VPS to the latest plesk 8.x series and update a vast majority of packages to the latest version (please note if you wish to retain php4 do not use this)

[root@vps /]# wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh

Atomic Archive installer, version 1.0.14
Configuring the [atomic] yum archive for this system

Installing the Atomic GPG key: OK
Downloading atomic-release-1.0-10.el4.art.noarch.rpm: OK

Would you like to add the Plesk yum repository to the system?

Enable Plesk repository? (y/n) [Default: n]: y << ANSWER Y

Plesk 8.6 and 9.0 repositories are available:
NOTE: Plesk 9 repos are only available for rhel/centos 4 and 5

Enable Plesk 8.6 or 9.0? (8/9) [Default: 8]: 8 << USE 8 – DO NOT UPDATE TO PLESK 9

The Atomic Rocket Turtle archive has now been installed and configured for your system
The following channels are available:
atomic – [ACTIVATED] – contains the stable tree of ART packages
atomic-testing – [DISABLED] – contains the testing tree of ART packages
atomic-bleeding – [DISABLED] – contains the development tree of ART packages

This has added the plesk repositories to your server and you can now update your server with them:

[root@vps /]# yum update
Setting up Update Process
Setting up repositories
plesk 100% |=========================| 951 B 00:00
update 100% |=========================| 951 B 00:00

….
Transaction Summary
=============================================================================
Install xx Package(s)
Update xxx Package(s)
Remove 0 Package(s)
Total download size: 180 M
Is this ok [y/N]: y << ANSWER Y

This will then start to download and install the updates, once installed we need to do a change to a php configuration file and restart some services.

[root@vps /]# mv /etc/php.ini.rpmnew /etc/php.ini

And restart services

[root@vps /]# service psa stopall
[root@vps /]# service psa start

This will now have updated the VPS to more up to date packages, this in itself will add some security to the server.

Now to look into stopping the possible sshd incidents, one of the best things to do is to fully remove the ability for the root user to login at all, this is fairly easy but we need to make sure that we have another user setup first so we don’t block ourselves completely. So lets setup a new user called vpslogin that we will use for all future logins to the shell itself:

[root@vps /]# useradd vpslogin -g wheel
[root@vps /]# passwd vpslogin
Changing password for user vpslogin.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Open a new ssh window to your server and check this user can login, if you can then we can move to the next step which is disabling the root user.

In your favourite editor (vi/nano/pico etc) open the file /etc/ssh/sshd_config and look for the line ‘PermitRootLogin’ we need to set this to ‘no’ and if necessary uncomment it.

Now restart the sshd server

[root@vps /]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

At this point if you try to login using your root details now you should not be able too.

Should you wish to access the root shell again now, you would login using the username ‘vpslogin’ and relevant password, once logged in you then would use the command ‘su -‘ and then enter the root password, you will then have full root access to the server as you did before.

This step will have made the server more secure by making it not possible to login using the common superuser of root, but we can go further on this.

Change the sshd port and it will make it much more difficult for someone to just latch on to the sshd service and try to access it and also get rid of the ability to use Protocol 1 as this should not be needed any more.

Reopen up the /etc/sshd/sshd_config file and we want to change these two lines:

#Port 22
#Protocol 2,1

Change them to something like

Port 3422 (change this to something random – but ensure its not used by another service)
Protocol 2

And then again restart the sshd server

[root@vps /]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

When you are sshing to your server in the future remember you will need to change the sshd port in your ssh client.

The instructions above will definitly help in securing your sshd server against random attacks. There are some tools that can aid in stopping these attacks after a few failed attempts. The instructions for this however are rather long but do have a read of our support article: http://support.34sp.com/KB/a159/adding-denyhosts-to-vps-servers.aspx – this will show you a useful utility that maintains global lists of people who regularly try to brute force servers and they will automatically be blocked from trying to access your sshd server. Please note it is possible to block yourself from your server using this if you regularly type your passwords wrong!

Another useful thing to do is to totally stop using passwords when using sshd – the following article is a good guide on how to do this type of thing : http://support.34sp.com/KB/a157/ssh-without-passwords-to-vps.aspx by using sshkeys.

One of the key things is to regularly update your VPS using the yum update command, make sure you watch the output as you may need to update some configuration commands, do not however jump straight into new major releases of plesk itself, we always recommand that you wait until at least the .1 release (eg 8.1 9.1) not the dotzero releases (8.0.x,9.0.x) these generally are still in need of quite a few bug fixes.

We can on request create ‘snapshots’ of your VPS if you wish before making any major configuration changes, the server can then be fully restored to that point in time if something does go badly wrong. As always feel free to contact us with any questions or help on securing your VPS server.

1 Comment

  1. To allow wheel group to sudo, you may need to edit /etc/sudoers using visudo (not just a plain old editor).

    Uncomment the second of the following lines :-

    ## Allows people in group wheel to run all commands
    # %wheel ALL=(ALL) ALL