How I secure my new VPS

Must-do checklist for your new VPS

How I secure my new VPS
Photo by Shubham Dhage / Unsplash

So, after creating a new VPS (Virtual Private Server), it is essential that we secure the server before using it.

I usually ensure that following tasks are done to secure the server before I use it.

The command examples are shown for Linux-based Debian server.

Perform System Updates

System updates ensure that any critical vulnerability patches or bug fixes are applied to the system. Updating the server or any system is the first step of security precaution. It also updates the software and libraries to the latest versions.

Command:

apt update && apt upgrade

Add limited privilege user account

When a VPS is initially setup, most often, you are using root to SSH into the server and perform the tasks. As root has all administrative privileges and execute any command, it is recommended to create a user account with limited privileges and using sudo to perform administrative tasks.

Create user

adduser <user_name>

Add user to sudo group

adduser <user_name> sudo

After creating the user, ssh back into the server again with the new user.

Hardening SSH access

A cryptographic key-pair is more secure than password authentication for SSH.

It is much difficult to decrypt the private key of the cryptographic key-pair by using brute-force.

So, we will create an SSH key and configure the system to not accept passwords for SSH logins.

Create or locate SSH Key

We use public key authentication for SSH.

SSH keys are generally located in .ssh directory inside user's home directory which is

  • /home/username/.ssh/ for Linux
  • /Users/username/.ssh/ for Mac
  • C:\Users\Username\.ssh\ for Windows

Look inside the directory of your local computer. There should be two files having similar names, one with .pub extension (public key) and another without extension (private key).

If there is no SSH key pair or you want to generate new key

Use the following command

ssh-keygen -t ed25519 -C "[email protected]"

Here, ed25519 is the algorithm used to generate the passphrase
[email protected]: Replace this with your email address or any comment to identify SSH key.

You will be:

  • prompted for filename. You can press Enter to use the defaults.
  • prompted for optional passphrase. It is recommended to have a strong passphrase.

Copy public key to VPS

Use following command:

use ssh-copy-id -i <public_key_filename> <user_name>@<ip>

Now, on SSH login, you should be logged in without entering user's password (you will need to enter SSH passphrase though).

SSH Configurations

SSH configuration file has several configuration options which can be used to improve the VPS security. For this, you will need to open the configuration file with:

sudo vim /etc/ssh/sshd_config

You can use vim or any other editor for editing the configuration.

Prevent root login over SSH

This will allow SSH connections from non-root users only. To enable this, set (or uncomment) the following option in the configuration file:

. . .
PermitRootLogin no
. . .

/etc/ssh/sshd_config

Disable SSH password authentication

This will prevent SSH connection using password and will allow connection using key authentication only.

. . .
PasswordAuthentication no
. . .

/etc/ssh/sshd_config

Change SSH port

By default, SSH service listens to port 22. Thus, brute-force attacks are often made on this port. Although, after disabling password authentication, it would not be possible to login by brute-forcing the password. You can never be too safe.

You can replace the port 22 with any port number of choice. Just be sure that it is not already used by other services in the system. So, to be safe, use a number between 49152 and 65535 (these are the unreservable ports). We are going to use 56789 for this demonstration.

. . .
Port 56789
. . .

Restart SSH service

Now, save and close the configuration file. Then, restart the SSH service.

sudo systemctl restart sshd

After restarting the SSH service, you can SSH using the following command:

ssh username@vpsaddress -p 56789

Append -p portNumber as above if you have changed the port address.

Fail2ban

Fail2ban bans IP addresses that performs too many failed login attempts. Those attempts might be from bots or attackers trying to penetrate your system as if you or any authorized user is trying to login, then it should not take more than 3 to 4 attempts (and is done in a single attempt in case of our SSH setup). Fail2ban is essential for the server against brute force or DoS (Denial of Service) attacks. Although Fail2ban can be used for many protocols, we will focus here for SSH only.

Install
sudo apt install fail2ban
Configure

Create a local configuration file by copyting the jail file and open the file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vim /etc/fail2ban/jail.local

We will straight away configure for SSH service only. If you need more details on configuration, refer to Fail2ban wiki.

In the configuration file, locate the [sshd] section and make sure it has these configurations:

[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
findtime = 5m
bantime  = 30m

This indicates that any SSH login attempt that fails 3 times within 5 minutes will result in IP ban for 30 minutes.

Enable

Restart and enable the service.

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban

Configure Firewall

Using firewall provides a robust security layer to block unwanted traffic in the VPS. The best practice of using firewall is to allow only the needed traffic and block everything else.

We are going to use ufw (uncomplicated firewall) here.

Install

sudo apt install ufw

Enable firewall service

sudo systemctl start ufw
sudo systemctl enable ufw

Configure

Since, most of the time we are only going to need a small number of ports to be open for incoming connections (like web servers, SSH), we can close all other remaining ports. ufw default can be used to set the default response for incoming and outgoing connections.

But before that, let's open the SSH port so that we are not going to be locked out of our VPS. To allow traffic for our SSH port (say 56789), we need to run:

sudo ufw allow 56789

Similarly, to deny traffic on certain port (say 22), we need to run:

sudo ufw deny 22

Now, let's set default rules to deny all incoming connections and allow all outgoing connections with ufw default:

sudo ufw default allow outgoing
sudo ufw default deny incoming

Enable firewall

Firewall should be inactive at this moment. You can verify with:

sudo ufw status

To enable the firewall:

sudo ufw enable

Well, these are some of the must-do items that I usually follow when I setup my new VPS. Backing up VPS, configuring intrusion detection, fine tuning sudo access and other mechanisms should also be applied. As said earlier, you can never be too safe. So, stay safe.