This is part 2 of a series of posts on server security from Inversoft's 2016 Guide to User Data Security.
In this guide, we will take you through the steps to create servers using Linode, a virtual server provider. Linode provisions stock versions of most operating systems and the server is open to the world. This would be the same setup if you were running your own servers. If you use Amazon, Google or other similar providers instead, some of the security configurations below will be managed using the web based configuration systems of the hosting provider. We'll try to indicate places where providers like Amazon provide web tools to manage security.
Now that you know what the architecture looks like, let's create the two servers you need. We'll be using the Ubuntu Linux version 16.04 LTS image for this guide. Most of the file locations and instructions assume that you will be using Ubuntu. If you prefer to use CentOS or a different distribution, you will need to translate these instructions.
Our examples will use two Linode 1024 instances hosted in California. Here are the setup steps you can use to create the servers:
Step 1: Select the Server Type
Step 2: Deploy the Linux Operating System
In this step, be sure to select a long and secure root password. Later you will disable root passwords, but for the initial process you need to ensure the server is secure.
Step 3: Configure a Private IP Address
You need to give both servers a private IP address that is not world accessible, but is accessible between Linode servers. This setting is on the Remote Access page.
After you add a private IP address, your configuration should look like this:
Before the private IP address will take effect, you need to enable the "Auto-configure Networking" setting. From the Dashboard click the "Edit" link to the right of your configuration at the top of the page. This will take you to the configuration options. At the bottom, enable the "Auto-configure networking setting". This option looks like this:
Then click "Save Changes".
Step 4: Boot the Server
Now, boot your Linode server by clicking the Boot button on the details page:
Both servers should now be running. The next step of the process is to lock down remote access to the servers and secure passwords and user accounts. You will need to perform all of these steps on each server to ensure they both are secure. There are numerous guides available to help you secure Linux servers, but we will cover the most common steps we use at Inversoft.
NOTE: We assume once a hacker has gained access to the server undetected, they will eventually succeed in gaining root access and will have access to everything. Therefore, we will cover some steps to secure user accounts and make the hacker's job harder, but we won't go into extreme detail here. Instead, we will focus primarily on preventing hackers from gaining access to the server in the first place.
Find our Github project here: https://github.com/inversoft/2016-security-scripts. This project contains a set of scripts you can execute from your local computer to secure a remote server.