VPS/VDS Linux Optimization Guide

[amazinghorse]

Today I will show you how to setup, speed-up and make more secure your Linux VPS/VDS from start.
This tutorial will be useful for any kind of server: web/db/storage/seedbox/e.t.c
Guide suitable for Debian/Ubuntu Serer but you can easily adapt this instruction for any linux distro you like!

We need a couple of tools before start:
Good SSH Client - http://www.chiark.greenend.org.uk/~sgtatham/putty/
Nice Text Editor(for notes) - http://notepad-plus-plus.org/
 

Our test subject is a low budget VPS from lowendbox.com.

Specs:
CPU : 1 VCPU
RAM : 128 Mb
HDD : 10Gb
VM Technology : OpenVZ

OS : Debian 7.0 x86 Wheezy

Pretty low-end vps as you can see, but we try to get maximum from this box in this tutorial!


The Begging
After server deployment, you must recive e-mail from your VPS provider to your e-mail, specified during server registration.
With something like this:

Hello dear customer!

Your VPS has been created.

Server: vps123
Intel Xeon X5650
Configuration: 1xIntel-Xeon/128Mb/10Gb/1xIPv4@100
Operating System: Debian 7.0 x86 Wheezy

SSH Acess details:
IP : 12.345.xx.xx
Port : 22
User : root
Password : xxxxxxxxxxx

Use PuTTY client for SSH connection.

Best Regards,
Your VPS Provider

 

Let's connect!

• Start PuTTY.
• When a PuTTY Configuration window opens select Session (it should be selected by default) from the Category panel on the left.
• In the Host Name (or IP address) field enter the our VPS IP(12.345.xx.xx).
• Make sure that Port field value is 22(default) like our VPS Port.
• Make sure that SSH is selected under Protocol (it should be selected by default).
• Click on Open.

If you are using linux machine already(your desktop), then connect to our vps with this command:

$ ssh root@12.345.xx.xx -p 22

And most likely we will get a dialogue about system security keys:

The authenticity of host '[12.345.xx.xx]:22 ([12.345.xx.xx]:22)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)?

Agree and type yes.

Congratulations, you are in the system.

Let's update our system:

$ apt-get update && apt-get dist-upgrade

Don't use Root account by default!
By default, we are operate under the root, which is not very good for security reasons.

1. create a user which we will use for work(the easiest way):

$ adduser user

We will get something like this:

Adding user `user' ...
Adding new group `user' (1001) ...
Adding new user `user' (1001) with group `user' ...
Creating home directory `/home/user' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for user
Enter the new value, or press ENTER for the default
    Full Name []: user User
    Room Number []: 000
    Work Phone []:
    Home Phone []:
    Other []:
Is the information correct? [Y/n] Y

Typing a complex password(which you will not forget!) and fill in the data that we need to, or just press enter.


2. Allow user running sudo
Add the user to a special sudo group:

$ usermod -a -G sudo user

where user is the user name.
That's all, we can log out and log in under user.

$ ssh user@12.345.xx.xx -p 22

And in the future you have to use sudo if you need root privileges.


Secure your SSH
Almost immediately after starting the server we noticed suspicious activity on port 22.
Apparently Chinese porno-scanners already smell us and began brute passwords.
The easiest way is to change the ssh port from 22 to any other.

1. To do this, open the configuration file of the ssh server:

$ sudo nano /etc/ssh/sshd_config

Look for the line "Port 22" and replace it with "Port 354" where 354 is a any number in the range from 1 to 65535
In any case, let's see which ports are open:

$ netstat -tupln | grep LISTEN

And choose any port not on this list.
I have to say that ports 80, 443, 3306, 22, 21, 8080 - really bad idea to use.

2. Further, limit the type of address for the connection(IPv6 or IPv4).
If your server is not using IPv6, then add to file /etc/ssh/sshd_config:
AddressFamily inet

3. Forbid authorization under root, look for PermitRootLogin, we expose value - no.
If this parameter isn't present, add it:
PermitRootLogin no

4. Allow connection only for certain accounts, in file file/etc/ssh/sshd_config:
AllowUsers user

list of users is written through a white spaces

5. Forbid attempt of an entrance with a empty password.
Look for PermitEmptyPasswords and we expose value - no.
PermitEmptyPasswords no

6. Save file and restart the ssh daemon:

$ sudo /etc/init.d/ssh restart

Thats all for now, we can relogin with our new parameters:

$ ssh user@93.189.xx.xx -p 354

 

SWAP Installation

In our test case in the automatic mode, swap has not been created, and with this amount of memory this is critical.
Attention! This is our specific case, to check whether the swap:

$ sudo swapon -s

If swap not exist by default, we create it!

Create, using dd, the file of the required size for the swap area, where /swap is the name and path of the file, and count=1024K size, in this case 512 MB
(usual formula for swap = RAM * 1.5, but this is not our case):

$ sudo dd if=/dev/zero of=/swap bs=1024 count=512K

Next, make a record at the beginning of the file system that will be used by the kernel to work with the paging file:

$ sudo mkswap /swap

After this operation  we will see something like that:

Setting up swapspace version 1, size = 536868 KiB
no label, UUID=103c4545-5fc5-47f3-a8b3-dfbdb64fd7eb

The next step will activate the newly created SWAP file:

$ sudo swapon /swap

Next you need to edit the fstab file to connect swap at the next system start-up:

$ sudo echo "/swap swap swap defaults 0 0" | sudo tee -a /etc/fstab

 

Tweak system variables, get protection from certain types of attacks.

Edit /etc/sysctl.conf

$ sudo nano /etc/sysctl.conf

Add these lines to the end:

# Anti-smurf-attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Protection against incorrect ICMP-messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protection against SYN-flooding
net.ipv4.tcp_syncookies = 1
# Forbid source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Anti-spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# We do not router, unless of course it's so
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn ExecShield in attacks aimed at buffer overflow or stack stall
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Expand the range of available ports
net.ipv4.ip_local_port_range = 2000 65000
# Increase the maximum size of the TCP-buffers
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1

# Accelerate the release of memory
vm.swappiness = 10

 
 
Speed-up overall system performance
Prelink and Preload.

Prelink is intended to speed up a system by reducing the time a program needs to begin.
Actual results have been mixed, but it seems to aid systems with a large number of libraries.

Preloading is the action of putting and keeping target files into the RAM. The benefit is that preloaded applications start more quickly because reading from the RAM is always quicker than from the hard drive. However, part of your RAM will be dedicated to this task, but no more than if you kept the application open.

1. Prelink Installation:

sudo apt-get -y install prelink

Edit the file /etc/default/prelink:

$ sudo nano /etc/default/prelink

Change the line PRELINKING=unknown to PRELINKING=yes

Run:

$ sudo /etc/cron.daily/prelink

 
2. Preload Installation:

$ sudo apt-get -y install preload

 
That's all!
 
 
Fail2Ban
Would you like to type “last†and just realize someone has just login into your server from a far country?
Well the solution is here!
We will be installing fail2ban, witch is capable of monitoring not just SSH but many other daemons.
It is quite cool, it send you an email after X attempts and include that bad IP into iptables for X amount of time.
 
1. Install Fail2Ban

$ sudo apt-get install fail2ban

2. Configuring Fail2ban:
Fail2ban is automatically configured for the most part. However, little items need to be tweaked.
/etc/fail2ban/fail2ban.conf is responsible for general settings for fail2ban, such as what log to append to.
More specific settings can be changed in /etc/fail2ban/jail.conf.
However, it’s recommended that this file not be directly changed. Instead, make a copy to jail.local.
The local file with override the .conf one.

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open config:

$ sudo nano /etc/fail2ban/jail.local

[DEFAULT]
# “ignoreip†can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 172.31.0.0/24 10.10.0.0/24 192.168.0.0/24
bantime = 86400
maxretry = 5
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath = /var/log/auth.log
maxretry = 5
logpath=/var/log/secure (for RedHat,CentOS,Fedora)

First, under [DEFAULT] find ignoreip. It’s always important for you to have a way in! These are IPs are fail2ban will ignore – IPs listed here can always have invalid login. These need to be space separated.
Check also the bantime, maxrety and other settings. I believe the bantime of only 10min ( 600 sec) is not enough to handle an attack,
so I raised it to 86400 (24 hours).Also adjust the logfiles path and names to your system.
 
Then restart the service:

$ /etc/init.d/fail2ban restart

And check your iptables:

$ iptables -L

 
If you want to unblock someone just do:

$ iptables -D fail2ban-ssh 1

Show failed SSH logins by date:

# cat /var/log/secure | grep ‘Failed password’ |  sort | uniq -c

 
Other Tips:
 
Stop the Service

/etc/init.d/fail2ban stop

Delete the socket if avalible

rm /tmp/fail2ban.sock

Start the Service

/etc/init.d/fail2ban start

Check if fail2ban is working

fail2ban-client ping

Answer should be “pongâ€
 
if the answer is not “pong†run away or  CRY FOR HELP