I'm thinking about renting a server to host a web service. As much as I trust the hosting provider I still want to make sure nobody can access the secrets I'll be storing on that machine.
These are my current measures to boost the security (taken from here):
- Hosting provider sets everything up and provides me with the root password
- I connect to server
ssh [email protected]
- Update everything
sudo apt update
sudo apt upgrade
- Create new user, add it to sudo group, login as new user
adduser bigpenus
usermod -aG sudo bigpenus
exit
ssh [email protected]
- Removing root account from logging to ssh
sudo nano /etc/ssh/sshd_config
// PermitRootLogin no (changing from yes to no)
- Setting up firewall
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
sudo ufw allow 80/tcp
sudo ufw enable
- Disable root account completely
sudo passwd -l root
There are other measures to beef up security. Like enabling 2FA authentication, installing Fail2Ban. You can read about it in the link above.
What else can I do to prevent the provider from accessing my files?
P.S. Any advice on security would be very appreciated!
Cheers!
CodePudding user response:
What you did would prevent your hosting provider to connect via ssh, but as long as they have physical access to the machine they host, you could imagine they could unplug the machine at any time and just look into the hard drive directly by plugging it into another machine. If the machine is a virtual machine or have some way to have its hardware remotely controlled. They might not even have to shutdown it, and they could possibly directly see what lies in the memory as well...
Of course if it is a serious business they won't do that, but the point is, if you cannot see (literraly with your eyes) what is happening with the hardware then you have to trust.
Apart from the provider, increasing network security is always a good idea, one advice from my own provider was to add an ip whitelist to the ssh port firewall rule (of course you need to ensure you will hold access to the ip you put in the whitelist if you put the whitelist directly on the machine, otherwise you may lose access to your own machine. Lots of cloud provider provides a "security groups" feature in their administration console, if that is your case, you could use that)