What are the security best practices with the new server Alamlinux?

[taker18]

what do you do to secure your server? share your thoughts
1- I use SSh
2- remove root login ( but it has disadvantages)
3- remove password (also has many disadvantages)
4- change the port 22
that all what I used to do but the issue if the lost my 2 SSH computers I have no access what so ever.

what are you guys doing?
have you ever use this one to audit your security

https://www.sshaudit.com/

 

[staff_nowa]

1. Don't use passwords
2. Access SSH only from some IPs
3. Change port if needed
4. For external ports, use a firewall first disallow and only allow what you need to have.

 

[Richard G]

This is how I do it.

1.) I also use SSH.
2.) Change SSH port to other port
3.) Create an SSH key with password for yourself (and test it)
4.) Disable password authentication and close the new SSH port in the firewall (just don't add it)
5.) Add your ip into the csf.allow file (and csf.ignore file).

Point 5 takes care that you can bypass the firewall and login to SSH, even if nobody else can because the port is closed.
So using it this way, there is no need to disable root login because nobody can get in anyway.
And if root login via ssh is required for whatever reason, you can open the changed port in the firewall again.

If you loose access or your ip is changed, you can login to Directadmin and add your new ip there too. Also you can open or close the firewall port or make changes to the sshd_config file if required.

 

[taker18]

Let me work on those and get back to you Thank you @Richard G @staff_nowa
I believe that I don't need to overcomplicate things and at the same time I do not want to lock myself out in case of losing my own machine (personal computer)

 

[Ohm J]

More super secure.
1. disabled ssh root login from outside.
2. enable ssh only for admin account. Incase you need to do thing with root login, you can access with simple execute command "su -l root".

3. change admin password for access DA Panel ( :2222 ) into 64bit length with include special characters.

4. change mysql/FTP password of admin account into 72-128bit with diferent credential.

5. do not use main account credential on your web application like ftp/databse/webmail, unless you need it in special case for debug thing.

And save password into somewhere that's safety and easy to take it for yourself.

Ensure your PC mustn't got any malware. I suggest use encrypt to your password text file that's use to save above password with your own low length password to protect from malware.

 

[staff_nowa]

More super secure.
1. disabled ssh root login from outside.
2. enable ssh only for admin account. Incase you need to do thing with root login, you can access with simple execute command "su -l root".

3. change admin password for access DA Panel ( :2222 ) into 64bit length with include special characters.

4. change mysql/FTP password of admin account into 72-128bit with diferent credential.

5. do not use main account credential on your web application like ftp/databse/webmail, unless you need it in special case for debug thing.

And save password into somewhere that's safety and easy to take it for yourself.

Ensure your PC mustn't got any malware. I suggest use encrypt to your password text file that's use to save above password with your own low length password to protect from malware.

How did you live with this complicated life ?