[Dudi]

Hello Everyone,

In this tutorial I'm going to show you that how can you make the basic things that you can secure your Debian/Ubuntu based VPS server.

Let's start!

• 1. Login to your VPS server over SSH.
  
  If you have a root account, then login with root.
  If do not have a root account then you must login with the user that is available, but  you must write sudo before every commands.
  
  
• 2. If you are on your server first update the packages list with
  
  
  Code: (Select All)

  apt-get update
  
  
• 3. After that update and install the newest packages with
  
  
  Code: (Select All)

  apt-get upgrade
  
  
• 4. Install unattended-upgrades
  
  
  Code: (Select All)

  apt-get install unattended-upgrades
  
  
  With this package you can easily install security updates in the future.
  
  
• 5. Run unattended-upgrades
  
  
  Code: (Select All)

  unattended-upgrade -v
  
  This will install security updates. This will take 1-2 minutes.
  After it is finished then restart your VPS.
  
  
  Code: (Select All)

  reboot
  
  
• 6. Set the correct date, time and timezone
  
  
  Code: (Select All)

  dpkg-reconfigure tzdata
  
  First choose the continent that you are on. http://kepfeltoltes.hu/151021/1_continen...es.hu_.png
  Then select the city where you are living. http://kepfeltoltes.hu/151021/2_citiy_se...es.hu_.png
  Nota bene: If you would like to see your local time then do this above.
  But you can choose your VPS's physical location too if you would like to see how much is the time where the VPS is located at.
  
  
• 7. Disable answering to PING requests
  
  First install my favorite command line text editor which is nano.
  
  
  Code: (Select All)

  apt-get install nano
  
  Then open and edit a text config file with nano
  
  
  Code: (Select All)

  nano /etc/sysctl.conf
  
  Simple copy and paste these two lines to the end of the file:
  
  Code: (Select All)

  net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
  
  Then press CTRL and X at the same time to exit from Nano.
  Then save and overwrite the old file by pressing Y then ENTER keys.
  
  
• 8. Change default SSH port, lower login grace time and disable root login with nano
  
  
  Code: (Select All)

  nano /etc/ssh/sshd_config
  
  Find these lines:
  
  
  Code: (Select All)

  Port 22
  You can change this to anything, but I advise to choose from 10000 to 65535 range.
  
  
  Code: (Select All)

  LoginGraceTime 120
  Lower it 12
  
  
  Code: (Select All)

  PermitRootLogin yes
  Change it to no.
  :exclamation: Warning! Disable root login is advised only if you have got at least one other account on your VPS that you can login with.
  If you don't have an another user on your VPS other than root and you disable root login then you won't be able to login to your VPS server anymore.
  Then press CTRL and X at the same time to exit from Nano.
  Then save and overwrite the old file by pressing Y then ENTER keys.
  
  :idea: But you can create a second user easily.
  Use numbers in the username and if someone would like to hack your server then he has much harder work to guess the username with numbers and then guess the password too.
  
  
  Code: (Select All)

  adduser Sec0ndUser --force-badname
  
  Then enter the new user's password, then repeat it.
  You don't have to fill the other fields, simple press ENTERs.
         Full Name []:
         Room Number []:
         Work Phone []:
         Home Phone []:
         Other []:
  Is the information correct? [Y/n]
  
  If you logged in to your VPS with normal user and would like to do modifications then you can use sudo before every command to gain root access, or simple change user with the su command.
  
  
• 9.Install and configure Fail2ban
  
  Your VPS is a public server on the web and everyone can see it.
  A lot of hackers would like to get into it and steal your data and resources to send SPAM emails or attack other servers with your VPS.
  To prevent this we disabled ping answers, root login over SSH, changed SSH ports. But we always can do more.
  To install one of the best security software for Linux enter this:
  
  Code: (Select All)

  apt-get install fail2ban
  
  To configure we have to edit config files with nano:
  
  Code: (Select All)

  nano /etc/fail2ban/jail.conf
  
  Find these lines and make changes like I did:
  
  Code: (Select All)

  bantime  = 80000
findtime = 30000
maxretry = 2
[ssh]
enabled  = true
port     = ssh,12345
  
  Note: 12345 should be your previously chosen SSH port number in Step 8.
  Then save it.
  
  You can check when and where the hackers from want to access your VPS by typing:
  
  Code: (Select All)

  cat /var/log/fail2ban.log
  
  Don't worry, of course fail2ban successfully stopped them.
  Here you can see their IP addresses.
  If you would like to know that where they are from, then enter this:
  
  Code: (Select All)

  wget -qO- http://getipaddr.net/more/index.php?ip=8.8.8.8
  
  
  Code: (Select All)

  8.8.8.8
Country: United States
Country code: US
Region: CA
Region code: California
City: Mountain View
94040
Latitude: 37.386
Longitude: -122.0838
Timezone: America/Los_Angeles
ISP: Google
Organization: Google
ASN: AS15169 Google Inc.
rDNS: 8.8.8.8
  
  This just example, you must replace Google's IP address with the hackers' IP address that you can find in fail2ban.log.
  
  
• +1 Choose the right password
  Your passwords should be very long and very complex.
  You don't have to remember to it, simple use a password manager application.
  I suggest to use KeePass. It's free and opensource.
  You can donwload it from here: http://keepass.info/
  

Congratulations!
If you did all of the above then you are ready with securing with your VPS server.

Please use the ⇩ button below. Thx.

[Conan]

Why didn't you add using key authentication?

Also ICMP is much easier to block in iptables.

[TrK]

If you really want to tighten your security with WHM/cPanel installed here is an Article about security basics.
https://rilexweb.com/vps-server-hardenin...c-via-whm/

Hope it ll help you to secure your server enough.

[Dudi]

Why didn't you add using key authentication?

Also ICMP is much easier to block in iptables.

I made a passwordless tutorial too. But it is not more secure than a complex password. It is just convenient because you do not have to enter your password every time.

[meetdilip]

What does login grace time do ? Is it something like auto time out ?

[Dudi]

What does login grace time do ? Is it something like auto time out ?

When you connect to an SSH server then you have this time to enter your username and password. 
If the time is over and it is without authentication or you entered wrong authentication informations then you will be disconnected from the server.

[Honey]

Actually I never thought of this, a great idea and a very informative thread indeed, might be a bit more helpful if you add the necessary OS versions to the topic's name, great attempt tho keep it up!

[meetdilip]

Thanks for explaining @Dudi . I was just wondering whether or not to tamper with Login Grace Time.

[Conan]

Why didn't you add using key authentication?

Also ICMP is much easier to block in iptables.

I made a passwordless tutorial too. But it is not more secure than a complex password. It is just convenient because you do not have to enter your password every time.

Sorry for the necro. I just want to reply on this.

It is MORE SECURE than a complex passwords. It would take years to crack those private keys. Who would want to brute force a 2048bit key?
Passwords are less secure and can easily be bruteforced. No one would dare bruteforce a 2048bit key unless you're a very important person.

[RickB]

I want to say that installing unattended-upgrades is unnecessary at 16.04. At my install it is yet installed, I don't know about the minimal Ubuntu installations, but if you do not have a minimal install, you can skip that step.