VPS security is an important topic. Unsecured instances become zombies and will be abused for bot networks and other creative tasks.
There are countless pages on the internet, and this is just another one. It’s primarily for myself, so I will know what to do when I change my hosting company the next time!
VPS Security 1: Create a non-root account
First of all, we need to create a non-root account.
That’s a quick one.
The first command will create the actual user and asks for a little more input. The only significant bit is the password.
And yes, that’s a super-creative name. Please do come up with something on your own!
Now we add the user to an elevated group:
usermod -aG sudo root2
Switch user to root2 and ensure SSH access:
su - root2 mkdir ~/.ssh chmod 700 ~/.ssh
Now try to see if you can log in with the account over SSH and shoot a command that requires sudo.
sudo apt update
All working fine? Good, let’s move on.
VPS Security 2: Securing SSH
Use the root2 account and adjust the SSH settings:
sudo nano /etc/ssh/sshd_confi g
Uncomment “#Port 22” and change the SSH port to something else, maybe 55522.
Scroll down further and change PermitRootLogin from “yes” to “no.”
Exit the file and issue an SSH restart:
sudo systemctl reload sshd
VPS Security 3: Install and enable the firewall
The next step is to increase VPS Security is to install the firewall:
sudo apt install ufw -y
And we’re going to set up a few rules.
We allow inbound HTTP, HTTPS, and SSH with our new port, everything else from the outside is locked, but we’re still okay with sending:
sudo ufw allow 55222 sudo ufw allow http sudo ufw allow https sudo ufw default deny incoming sudo ufw default allow outgoing
Finally, enable the FW:
sudo ufw enable
VPS Security 4: Fail2ban
Fail2ban will automatically block repeated attempts to break into the box.
The installation is simple:
sudo apt install fail2ban -y
We’re going to copy the configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And apply some edits:
sudo nano /etc/fail2ban/jail.local
Search for bantime, findtime, maxretry and adjust them to your requirements, like here in the screenshot:
Also, enable SSHD protection, and don’t forget to use the new port:
The last step is to restart the service:
sudo service fail2ban restart
That should do. Sure, there’s always more you could do, but these simple measures will keep all the bots and script users at bay.
Of course, you need a backup, too!
More technology posts:
VPS security is an important topic. Unsecured instances become zombies and will be abused for…
For various reasons, I decided to change my hoster for the blog. I did some…
I’ve written a new article: Orangematter – SolarWinds Hybrid Cloud Observability.https://orangematter.solarwinds.com/2022/07/18/observability-again-oh-yes/ I’m a bit late…
I’ve written a new article on our corporate blog, celebrating IT Pro Day 2021:https://orangematter.solarwinds.com/2021/09/01/it-pros-to-the-world-bring-it-on/ It’s…
English version: Click! Künstliche Intelligenz im Datenzentrum In einem Datenzentrum sind typischerweise irgendwo zwischen 30-200…
English Version: CLICK! IT Security beginnt beim Mensch. Leider. Einer der Funde der Untersuchung des…