VPS security is an important topic. Unsecured instances become zombies and will be abused for bot networks and other creative tasks.
There are countless pages on the internet, and this is just another one. It’s primarily for myself, so I will know what to do when I change my hosting company the next time!
VPS Security 1: Create a non-root account
First of all, we need to create a non-root account.
That’s a quick one.
The first command will create the actual user and asks for a little more input. The only significant bit is the password.
And yes, that’s a super-creative name. Please do come up with something on your own!
adduser root2Now we add the user to an elevated group:
usermod -aG sudo root2Switch user to root2 and ensure SSH access:
su - root2
mkdir ~/.ssh
chmod 700 ~/.sshNow try to see if you can log in with the account over SSH and shoot a command that requires sudo.
sudo apt updateAll working fine? Good, let’s move on.
VPS Security 2: Securing SSH
Use the root2 account and adjust the SSH settings:
sudo nano /etc/ssh/sshd_confi gUncomment “#Port 22” and change the SSH port to something else, maybe 55522.
Scroll down further and change PermitRootLogin from “yes” to “no.”
Exit the file and issue an SSH restart:
sudo systemctl reload sshdVPS Security 3: Install and enable the firewall
The next step is to increase VPS Security is to install the firewall:
sudo apt install ufw -yAnd we’re going to set up a few rules.
We allow inbound HTTP, HTTPS, and SSH with our new port, everything else from the outside is locked, but we’re still okay with sending:
sudo ufw allow 55222
sudo ufw allow http
sudo ufw allow https
sudo ufw default deny incoming
sudo ufw default allow outgoingFinally, enable the FW:
sudo ufw enableVPS Security 4: Fail2ban
Fail2ban will automatically block repeated attempts to break into the box.
The installation is simple:
sudo apt install fail2ban -yWe’re going to copy the configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localAnd apply some edits:
sudo nano /etc/fail2ban/jail.localSearch for bantime, findtime, maxretry and adjust them to your requirements, like here in the screenshot:
Also, enable SSHD protection, and don’t forget to use the new port:
The last step is to restart the service:
sudo service fail2ban restartThat should do. Sure, there’s always more you could do, but these simple measures will keep all the bots and script users at bay.
Of course, you need a backup, too!
More technology posts:
VPS Security
VPS security is an important topic. Unsecured instances become zombies and will be abused for…
WordPress on Contabo VPS
For various reasons, I decided to change my hoster for the blog. I did some…
Orangematter – SolarWinds Hybrid Cloud Observability
I’ve written a new article: Orangematter – SolarWinds Hybrid Cloud Observability.https://orangematter.solarwinds.com/2022/07/18/observability-again-oh-yes/ I’m a bit late…
IT Pro Day 2021: Orangematter
I’ve written a new article on our corporate blog, celebrating IT Pro Day 2021:https://orangematter.solarwinds.com/2021/09/01/it-pros-to-the-world-bring-it-on/ It’s…
Künstliche Intelligenz im Datenzentrum: Die KI schläft nie!
English version: Click! Künstliche Intelligenz im Datenzentrum In einem Datenzentrum sind typischerweise irgendwo zwischen 30-200…
IT Security beginnt beim Mensch. Leider.
English Version: CLICK! IT Security beginnt beim Mensch. Leider. Einer der Funde der Untersuchung des…