How I secure my new VPS
Must-do checklist for your new VPS
So, after creating a new VPS (Virtual Private Server), it is essential that we secure the server before using it.
I usually ensure that following tasks are done to secure the server before I use it.
The command examples are shown for Linux-based Debian server.
Perform System Updates
System updates ensure that any critical vulnerability patches or bug fixes are applied to the system. Updating the server or any system is the first step of security precaution. It also updates the software and libraries to the latest versions.
Command:
apt update && apt upgrade
Add limited privilege user account
When a VPS is initially setup, most often, you are using root
to SSH into the server and perform the tasks. As root
has all administrative privileges and execute any command, it is recommended to create a user account with limited privileges and using sudo
to perform administrative tasks.
Create user
adduser <user_name>
Add user to sudo group
adduser <user_name> sudo
After creating the user, ssh back into the server again with the new user.
Hardening SSH access
A cryptographic key-pair is more secure than password authentication for SSH.
It is much difficult to decrypt the private key of the cryptographic key-pair by using brute-force.
So, we will create an SSH key and configure the system to not accept passwords for SSH logins.
Create or locate SSH Key
We use public key authentication for SSH.
SSH keys are generally located in .ssh
directory inside user's home directory which is
/home/username/.ssh/
for Linux/Users/username/.ssh/
for MacC:\Users\Username\.ssh\
for Windows
Look inside the directory of your local computer. There should be two files having similar names, one with .pub
extension (public key) and another without extension (private key).
If there is no SSH key pair or you want to generate new key
Use the following command
ssh-keygen -t ed25519 -C "[email protected]"
Here, ed25519
is the algorithm used to generate the passphrase
[email protected]
: Replace this with your email address or any comment to identify SSH key.
You will be:
- prompted for filename. You can press
Enter
to use the defaults. - prompted for optional passphrase. It is recommended to have a strong passphrase.
Copy public key to VPS
Use following command:
use ssh-copy-id -i <public_key_filename> <user_name>@<ip>
Now, on SSH login, you should be logged in without entering user's password (you will need to enter SSH passphrase though).
SSH Configurations
SSH configuration file has several configuration options which can be used to improve the VPS security. For this, you will need to open the configuration file with:
sudo vim /etc/ssh/sshd_config
You can use vim or any other editor for editing the configuration.
Prevent root login over SSH
This will allow SSH connections from non-root users only. To enable this, set (or uncomment) the following option in the configuration file:
Disable SSH password authentication
This will prevent SSH connection using password and will allow connection using key authentication only.
Change SSH port
By default, SSH service listens to port 22. Thus, brute-force attacks are often made on this port. Although, after disabling password authentication, it would not be possible to login by brute-forcing the password. You can never be too safe.
You can replace the port 22 with any port number of choice. Just be sure that it is not already used by other services in the system. So, to be safe, use a number between 49152 and 65535 (these are the unreservable ports). We are going to use 56789 for this demonstration.
. . .
Port 56789
. . .
Restart SSH service
Now, save and close the configuration file. Then, restart the SSH service.
sudo systemctl restart sshd
After restarting the SSH service, you can SSH using the following command:
Fail2ban
Fail2ban bans IP addresses that performs too many failed login attempts. Those attempts might be from bots or attackers trying to penetrate your system as if you or any authorized user is trying to login, then it should not take more than 3 to 4 attempts (and is done in a single attempt in case of our SSH setup). Fail2ban is essential for the server against brute force or DoS (Denial of Service) attacks. Although Fail2ban can be used for many protocols, we will focus here for SSH only.
Install
sudo apt install fail2ban
Configure
Create a local configuration file by copyting the jail file and open the file:
In the configuration file, locate the [sshd]
section and make sure it has these configurations:
Enable
Restart and enable the service.
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
Configure Firewall
Using firewall provides a robust security layer to block unwanted traffic in the VPS. The best practice of using firewall is to allow only the needed traffic and block everything else.
We are going to use ufw (uncomplicated firewall) here.
Install
sudo apt install ufw
Enable firewall service
sudo systemctl start ufw
sudo systemctl enable ufw
Configure
Since, most of the time we are only going to need a small number of ports to be open for incoming connections (like web servers, SSH), we can close all other remaining ports. ufw default
can be used to set the default response for incoming and outgoing connections.
But before that, let's open the SSH port so that we are not going to be locked out of our VPS. To allow traffic for our SSH port (say 56789), we need to run:
sudo ufw allow 56789
Similarly, to deny traffic on certain port (say 22), we need to run:
sudo ufw deny 22
Now, let's set default rules to deny all incoming connections and allow all outgoing connections with ufw default
:
sudo ufw default allow outgoing
sudo ufw default deny incoming
Enable firewall
Firewall should be inactive at this moment. You can verify with:
sudo ufw status
To enable the firewall:
sudo ufw enable
Well, these are some of the must-do items that I usually follow when I setup my new VPS. Backing up VPS, configuring intrusion detection, fine tuning sudo access and other mechanisms should also be applied. As said earlier, you can never be too safe. So, stay safe.