When deploying API-X servers, especially manually or outside of cloud platforms, it's essential to secure your infrastructure against various attacks, including Distributed Denial of Service (DDoS) attacks, unauthorized access, and other threats. Cloud platforms like AWS, GCP, and Azure offer built-in security mechanisms, but when managing your own servers, particularly on CentOS or Ubuntu, you need to implement these security measures yourself. This guide will help you secure API-X servers effectively.
Firewalls are your first line of defense in network security. On both CentOS and Ubuntu, firewalls can be managed using firewalld or ufw respectively:
CentOS (using firewalld):
firewalld if it's not already installed:sudo yum install firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
Ubuntu (using ufw):
ufw and allow essential services:sudo apt install ufw
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
sudo ufw enable
iptables or nftables on CentOS and Ubuntu to limit the number of connections:sudo iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j DROP
sudo yum install epel-release
sudo yum install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
For additional security, consider restricting SSH access to a Virtual Private Network (VPN). This helps ensure that only trusted users on the VPN can access your servers remotely.
Disable direct root login to prevent attackers from attempting to guess the root password:
/etc/ssh/sshd_config and set the following:PermitRootLogin no
sudo systemctl restart sshd
Replace password-based authentication with SSH key authentication for enhanced security:
ssh-keygen -t rsa -b 4096
ssh-copy-id user@server_ip
/etc/ssh/sshd_config and set:PasswordAuthentication no
sudo systemctl restart sshd
To secure traffic between clients and your API-X server, use SSL/TLS certificates:
sudo apt install certbot
sudo certbot certonly --standalone -d yourdomain.com
0 3 * * * /usr/bin/certbot renew --quiet
NGINX: Edit your NGINX configuration to use SSL:
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Apache: Enable SSL module and configure Apache to use SSL:
sudo a2enmod ssl
sudo systemctl restart apache2
Edit your Apache site configuration to use SSL:
<VirtualHost *:443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
</VirtualHost>
Keep your server software up-to-date to protect against known vulnerabilities:
sudo yum update -y
sudo apt update && sudo apt upgrade -y
Use tools like AIDE (Advanced Intrusion Detection Environment) to monitor changes to your system:
sudo yum install aide
sudo aide --init
sudo apt install aide
sudo aide --init
Use tools like Logwatch or set up rsyslog to monitor and analyze logs for unusual activity:
sudo yum install logwatch
sudo apt install logwatch
Securing API-X servers involves multiple layers of protection, from network security and SSH hardening to SSL encryption and log monitoring. By following these steps, you can create a robust security posture for your API-X deployment, whether you're using CentOS or Ubuntu. Regular updates, monitoring, and limiting access to your servers are crucial practices to defend against potential threats and ensure the reliability of your application.