Advanced Internet
Guides Categories Donate
Advanced Internet

Contents

Security on your VPS

 included in Security Linux
   1302 words   7 minutes 

You have just rented out your first VPS (Virtual Private Server) and can’t wait to use it. We’ve all been there, but first things first, let’s make it rock solid secure.

Update your system

Something really important making sure that our system is always up-to-date. To achieve that, the first thing we have to do is:

In Ubuntu:

sudo apt update
sudo apt upgrade

In RedHat / Fedora:

sudo dnf upgrade

Disable root access

We are going to make it so that the root user cannot be accessed from the outside. The root user has system administration permissions, and it is always the first attack surface.

Let’s open the SHH configuration file:

sudo nano /etc/ssh/sshd_config

We are going to look for the line that says PermitRootLogin yes and change it to PermitRootLogin no. If the line is commented (starts with #), you should uncomment it. Press control + s to save and control + x to exit.

It may happen that instead of PermitRootLogin yes, the line says PermitRootLogin prohibit-password.

At this point, a system reboot would be required, but since we are going to make more changes, we’ll do it later.

Public/Private key pair authentication

There are several ways to login into a VPS, with using a password being the most common. However, thanks to the computational power of computers nowadays, some weak passwords are fairly easy to brute force.

An alternative authentication method is by using asymetric key pairs, cryptographic keys based on mathematics (more specifically, on prime numbers). They are composed of two parts: a public key you can share without any problem and that can be used to encrypt communications or check the authenticity of a message, file, etc., and a private key, that allows individuals to identify themselves or decrypt communications.

Create a key pair

To create the keyi, you are going to use your personal computer, not your server.

You have to run the following command:

ssh-keygen -t ed25519

You should see something as this:

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):

You may introduce a password here to encrypt your private key. It is advisable to do it if you are using a laptop or a device you plan to transport frequently. Do not lose this password.

We are generating an eliptic curve key ed25519, considered one of the best security standards to the date this post was made. Nevertheless, if your VPS is old and cannot handle such a key, you can generate an RSA key with 4096 bits of entropy, which provides a high level of security too.

ssh-keygen -t rsa -b 4096

Copy the key to the server

Once the key pair is generated, we have to transfer the public one to the server.

The first thing you have to do is figure out your server IP address. Typically, your provider will give it to you when you rent it out. If you instead have access to a command-line terminal, you can find by running ip addr.

To transfer the key you can run the following command.

ssh-copy-id username@server_ip

For instance: ssh-copy-id user@192.168.1.173

Check you have access by running ssh nombre_de_usuario@ip_server on your personal computer. No password should be requested.

Deactivate password login

You should now be able to login without typing your password, but brute force attacks are still possible.

Once in the VPS, we are going to edit once again the SSH configuration file.

sudo nano /etc/ssh/sshd_config

Press control + w and search for PasswordAuthentication.

Uncomment the line that says #PasswordAuthentication yes and change yes for no.

It should look like this: PasswordAuthentication no.

Press control + s to save and control + x to exit. We will reboot at the end.

Change the default port

By default, the SSH access port is 22. Changing the port does not provide any additional security but it can reduce the number of attacks received.

Again, we will edit the SSH config file.

sudo nano /etc/ssh/sshd_config

Find the line that says Port 22. Uncomment it if it is commented and change the number 22 for any random one, such as 8122. Save with control + s and exit with control + x.

It is time now to restart the SSH service and apply all changes. Make sure you have carefully followed the guide up to this point.

In Ubuntu:

sudo service ssh restart

In RedHat/Fedora:

sudo systemctl restart sshd

After all these steps, you can access your server with ssh user@ip -p port.

Configure a firewall

A firewall is esential when blocking unwanted conntectio attempts to our server. It is usual to find bots scanning a range of ports for many random IPs. If they find any port open, they attack it making the system slower.

We are going to install UFW, a really easy to use Linux firewall.

In Ubuntu:

sudo apt install ufw2

In RedHat/Fedora:

sudo dnf install ufw

If you are on Fedora, you might need to disable FirewallD.

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Use IPv6

If your VPS uses IPv6, you can enable it from UFW’s config file.

sudo nano /etc/default/ufw

Find the line that says IPV6= and make sure it says yes, such as IPV6=yes. Save and exit.

Set default policies

Let’s start by allowing all outgoing traffic and denying incoming one.

sudo ufw default deny incoming
sudo udw default allow outgoing

We also want to allow all internal communications:

sudo ufw insert 1 allow in on lo0

Enable SSH connections

Before making any further changes, we want to make sure UFW won’t block our SSH connections:

sudo ufw allow PORT

Where “PORT” is the SSH port we previously configured. It should look something like this: sudo ufw allow 8122.

Enable the firewall

Make sure all rules are properly configured:

sudo ufw status verbose

Finally, and if everything looks fine, enable the firewall:

sudo ufw enable

You should see a warning explaining you could lose access to the VPS. If you have configured everything as explained here, there should be no issues. Press y and ENTER.

The firewall is now running. You can check more commands in this guide from Digital Ocean.

Install Fail2Ban (optional)

Fail2Ban constantly scans for failed login attempts and temporarily bans those IPs that have failed several times.

Let’s install the program:

In Ubuntu:

sudo apt install fail2ban

In RedHat/Fedora:

sudo dnf install epel-release fail2ban
Note for RedHat/Fedora

You will have to run the service by yourself.

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

If you see this error: no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock manually create it with sudo mkdir /var/run/fail2ban.

To check if Fail2Ban is working run fail2ban-client -h. If we see a help message, everything is running smoothly.

We can change the config file to modify certain parameters.

Let’s create a local config file by running:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

You can now modify it:

sudo nano /etc/fail2ban/jail.local

If you are on RedHat or Fedora, change the backend param from auto to systemd. This is not required in Ubuntu, even though it also uses systemd.

To protect SSH access, you have to look for these lines and uncomment them (or add them if they aren’t already there):

[sshd]
enabled = true
port=YOUR_SSH_PORT
filter=sshd
maxretry=4
bantime=120

Make sure that in port you use the port you configured in a previous step.

The options maxretry and bantime are the number of consecutive failed attempts and the time (in seconds) the attacker will be banned.

There is also a way to never ban certain IPs, but it only works if you have a static IP.

Now save and exit (control + s and control + x) and restart Fail2Ban:

sudo systemctl restart fail2ban
We are all done!
Congrats! You have now secured your VPS.
Updated on 03-09-2024
 LinuxScuritySSHPrivate KeyPublic KeyRoot
Back | Home