Security on your VPS
You have just rented out your first VPS (Virtual Private Server) and can’t wait to use it. We’ve all been there, but first things first, let’s make it rock solid secure.
Update your system
Something really important making sure that our system is always up-to-date. To achieve that, the first thing we have to do is:
In Ubuntu:
sudo apt update
sudo apt upgrade
In RedHat / Fedora:
sudo dnf upgrade
Disable root access
We are going to make it so that the root user cannot be accessed from the outside. The root user has system administration permissions, and it is always the first attack surface.
Let’s open the SHH configuration file:
sudo nano /etc/ssh/sshd_config
We are going to look for the line that says PermitRootLogin yes
and change it to PermitRootLogin no
. If the line is commented (starts with #), you should uncomment it. Press control + s to save and control + x to exit.
It may happen that instead of
PermitRootLogin yes
, the line saysPermitRootLogin prohibit-password
.
At this point, a system reboot would be required, but since we are going to make more changes, we’ll do it later.
Public/Private key pair authentication
There are several ways to login into a VPS, with using a password being the most common. However, thanks to the computational power of computers nowadays, some weak passwords are fairly easy to brute force.
An alternative authentication method is by using asymetric key pairs, cryptographic keys based on mathematics (more specifically, on prime numbers). They are composed of two parts: a public key you can share without any problem and that can be used to encrypt communications or check the authenticity of a message, file, etc., and a private key, that allows individuals to identify themselves or decrypt communications.
Create a key pair
To create the keyi, you are going to use your personal computer, not your server.
You have to run the following command:
ssh-keygen -t ed25519
You should see something as this:
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
You may introduce a password here to encrypt your private key. It is advisable to do it if you are using a laptop or a device you plan to transport frequently. Do not lose this password.
We are generating an eliptic curve key
ed25519
, considered one of the best security standards to the date this post was made. Nevertheless, if your VPS is old and cannot handle such a key, you can generate an RSA key with 4096 bits of entropy, which provides a high level of security too.ssh-keygen -t rsa -b 4096
Copy the key to the server
Once the key pair is generated, we have to transfer the public one to the server.
The first thing you have to do is figure out your server IP address. Typically, your provider will give it to you when you rent it out. If you instead have access to a command-line terminal, you can find by running ip addr
.
To transfer the key you can run the following command.
ssh-copy-id username@server_ip
For instance: ssh-copy-id user@192.168.1.173
Check you have access by running
ssh nombre_de_usuario@ip_server
on your personal computer. No password should be requested.
Deactivate password login
You should now be able to login without typing your password, but brute force attacks are still possible.
Once in the VPS, we are going to edit once again the SSH configuration file.
sudo nano /etc/ssh/sshd_config
Press control + w and search for PasswordAuthentication
.
Uncomment the line that says #PasswordAuthentication yes
and change yes
for no
.
It should look like this: PasswordAuthentication no
.
Press control + s to save and control + x to exit. We will reboot at the end.
Change the default port
By default, the SSH access port is 22. Changing the port does not provide any additional security but it can reduce the number of attacks received.
Again, we will edit the SSH config file.
sudo nano /etc/ssh/sshd_config
Find the line that says Port 22
. Uncomment it if it is commented and change the number 22 for any random one, such as 8122. Save with control + s and exit with control + x.
It is time now to restart the SSH service and apply all changes. Make sure you have carefully followed the guide up to this point.
In Ubuntu:
sudo service ssh restart
In RedHat/Fedora:
sudo systemctl restart sshd
After all these steps, you can access your server with
ssh user@ip -p port
.
Configure a firewall
A firewall is esential when blocking unwanted conntectio attempts to our server. It is usual to find bots scanning a range of ports for many random IPs. If they find any port open, they attack it making the system slower.
We are going to install UFW, a really easy to use Linux firewall.
In Ubuntu:
sudo apt install ufw2
In RedHat/Fedora:
sudo dnf install ufw
If you are on Fedora, you might need to disable FirewallD.
sudo systemctl stop firewalld
sudo systemctl disable firewalld
Use IPv6
If your VPS uses IPv6, you can enable it from UFW’s config file.
sudo nano /etc/default/ufw
Find the line that says IPV6=
and make sure it says yes
, such as IPV6=yes
. Save and exit.
Set default policies
Let’s start by allowing all outgoing traffic and denying incoming one.
sudo ufw default deny incoming
sudo udw default allow outgoing
We also want to allow all internal communications:
sudo ufw insert 1 allow in on lo0
Enable SSH connections
Before making any further changes, we want to make sure UFW won’t block our SSH connections:
sudo ufw allow PORT
Where “PORT” is the SSH port we previously configured. It should look something like this: sudo ufw allow 8122
.
Enable the firewall
Make sure all rules are properly configured:
sudo ufw status verbose
Finally, and if everything looks fine, enable the firewall:
sudo ufw enable
You should see a warning explaining you could lose access to the VPS. If you have configured everything as explained here, there should be no issues. Press y
and ENTER
.
The firewall is now running. You can check more commands in this guide from Digital Ocean.
Install Fail2Ban (optional)
Fail2Ban constantly scans for failed login attempts and temporarily bans those IPs that have failed several times.
Let’s install the program:
In Ubuntu:
sudo apt install fail2ban
In RedHat/Fedora:
sudo dnf install epel-release fail2ban
You will have to run the service by yourself.
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
If you see this error:
no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock
manually create it withsudo mkdir /var/run/fail2ban
.
To check if Fail2Ban is working run fail2ban-client -h
. If we see a help message, everything is running smoothly.
We can change the config file to modify certain parameters.
Let’s create a local config file by running:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
You can now modify it:
sudo nano /etc/fail2ban/jail.local
If you are on RedHat or Fedora, change the backend
param from auto to systemd. This is not required in Ubuntu, even though it also uses systemd.
To protect SSH access, you have to look for these lines and uncomment them (or add them if they aren’t already there):
[sshd]
enabled = true
port=YOUR_SSH_PORT
filter=sshd
maxretry=4
bantime=120
Make sure that in port
you use the port you configured in a previous step.
The options maxretry
and bantime
are the number of consecutive failed attempts and the time (in seconds) the attacker will be banned.
There is also a way to never ban certain IPs, but it only works if you have a static IP.
Now save and exit (control + s and control + x) and restart Fail2Ban:
sudo systemctl restart fail2ban