In part one of our VPS hardening project we changed the SSH port and disallowed the root login to connect via SSH.
The next two things we are going to do is to install Logwatch, and then block connections to the FTP and MySQL ports.
Logwatch is a very useful, and lightweight, utility that scans your server logs and provides a report from that.
To install logwatch (on CentOS / RHEL) simply type
yum install logwatch -y
How to get log details email to you
There are a number of configurations you might want to change with logwatch, however to get a simple report emailed to you just type this into your SSH session:
logwatch --detail Low --mailto email@address --service http --range today
For further configuration options this article will help.
Blocking FTP ports and MySQL port
To do this we had to journey into the world of ip tables.
You can block a port entirely from being accessed over the network by using the the –dport or –destination-port switch and adding the port of the service you want to block.
Run the below to reject ftp ports and only accept MySQL connections from local host.
/sbin/iptables -A INPUT -p tcp --destination-port 21 -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -p tcp --destination-port 20 -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
Block just one ip address like this (swapping the IP address for the one you want to block) iptables -A INPUT -s 188.8.131.52 -j DROP
Don’t forget to save the configuration with
Removing IPTABLE rules
If you make a mistake you can remove a rule by getting a list of them with
iptables -vnL INPUT --line-numbers
Then if you get the number of the rule, you can delete it e.g rule 9
iptables -D INPUT 9