arrow_upward

Pages (2):
Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to secure your VPS server
#1
Information 
Hello Everyone,

In this tutorial I'm going to show you that how can you make the basic things that you can secure your Debian/Ubuntu based VPS server.

Let's start!
  • 1. Login to your VPS server over SSH.

    If you have a root account, then login with root.
    If do not have a root account then you must login with the user that is available, but  you must write sudo before every commands.

  • 2. If you are on your server first update the packages list with

    apt-get update

  • 3. After that update and install the newest packages with

    apt-get upgrade

  • 4. Install unattended-upgrades

    apt-get install unattended-upgrades


    With this package you can easily install security updates in the future.

  • 5. Run unattended-upgrades

    unattended-upgrade -v

    This will install security updates. This will take 1-2 minutes.
    After it is finished then restart your VPS.

    reboot

  • 6. Set the correct date, time and timezone

    dpkg-reconfigure tzdata

    First choose the continent that you are on. http://kepfeltoltes.hu/151021/1_continen...es.hu_.png
    Then select the city where you are living. http://kepfeltoltes.hu/151021/2_citiy_se...es.hu_.png
    Nota bene: If you would like to see your local time then do this above.
    But you can choose your VPS's physical location too if you would like to see how much is the time where the VPS is located at.

  • 7. Disable answering to PING requests

    First install my favorite command line text editor which is nano.

    apt-get install nano

    Then open and edit a text config file with nano

    nano /etc/sysctl.conf

    Simple copy and paste these two lines to the end of the file:
    net.ipv4.icmp_echo_ignore_all = 1
    net.ipv4.icmp_echo_ignore_broadcasts = 1

    Then press CTRL and X at the same time to exit from Nano.
    Then save and overwrite the old file by pressing Y then ENTER keys.

  • 8. Change default SSH port, lower login grace time and disable root login with nano

    nano /etc/ssh/sshd_config

    Find these lines:

    Port 22
    You can change this to anything, but I advise to choose from 10000 to 65535 range.

    LoginGraceTime 120
    Lower it 12

    PermitRootLogin yes
    Change it to no.
    :exclamation: Warning! Disable root login is advised only if you have got at least one other account on your VPS that you can login with.
    If you don't have an another user on your VPS other than root and you disable root login then you won't be able to login to your VPS server anymore.

    Then press CTRL and X at the same time to exit from Nano.
    Then save and overwrite the old file by pressing Y then ENTER keys.

    :idea: But you can create a second user easily.
    Use numbers in the username and if someone would like to hack your server then he has much harder work to guess the username with numbers and then guess the password too.

    adduser Sec0ndUser --force-badname

    Then enter the new user's password, then repeat it.
    You don't have to fill the other fields, simple press ENTERs.
           Full Name []:
           Room Number []:
           Work Phone []:
           Home Phone []:
           Other []:
    Is the information correct? [Y/n]

    If you logged in to your VPS with normal user and would like to do modifications then you can use sudo before every command to gain root access, or simple change user with the su command.

  • 9.Install and configure Fail2ban

    Your VPS is a public server on the web and everyone can see it.
    A lot of hackers would like to get into it and steal your data and resources to send SPAM emails or attack other servers with your VPS.
    To prevent this we disabled ping answers, root login over SSH, changed SSH ports. But we always can do more.
    To install one of the best security software for Linux enter this:
    apt-get install fail2ban

    To configure we have to edit config files with nano:
    nano /etc/fail2ban/jail.conf

    Find these lines and make changes like I did:
    bantime  = 80000
    findtime = 30000
    maxretry = 2
    [ssh]
    enabled  = true
    port     = ssh,12345

    Note: 12345 should be your previously chosen SSH port number in Step 8.
    Then save it.

    You can check when and where the hackers from want to access your VPS by typing:
    cat /var/log/fail2ban.log

    Don't worry, of course fail2ban successfully stopped them.
    Here you can see their IP addresses.
    If you would like to know that where they are from, then enter this:
    wget -qO- http://getipaddr.net/more/index.php?ip=8.8.8.8

    8.8.8.8
    Country: United States
    Country code: US
    Region: CA
    Region code: California
    City: Mountain View
    94040
    Latitude: 37.386
    Longitude: -122.0838
    Timezone: America/Los_Angeles
    ISP: Google
    Organization: Google
    ASN: AS15169 Google Inc.
    rDNS: 8.8.8.8

    This just example, you must replace Google's IP address with the hackers' IP address that you can find in fail2ban.log.

  • +1 Choose the right password
    Your passwords should be very long and very complex.
    You don't have to remember to it, simple use a password manager application.
    I suggest to use KeePass. It's free and opensource.
    You can donwload it from here: http://keepass.info/

Congratulations!
If you did all of the above then you are ready with securing with your VPS server.

Please use the [Image: thumbsup.png] button below. Thx.
#2
Why didn't you add using key authentication?

Also ICMP is much easier to block in iptables.
http://FreeVPS.club - Free VPSs!
#3
If you really want to tighten your security with WHM/cPanel installed here is an Article about security basics.
https://rilexweb.com/vps-server-hardenin...c-via-whm/

Hope it ll help you to secure your server enough.
[Image: a3ad5cfbf5.png]
[Image: trk1]
#4
(10-21-2015, 12:51 PM)Conan Wrote: Why didn't you add using key authentication?

Also ICMP is much easier to block in iptables.

I made a passwordless tutorial too. But it is not more secure than a complex password. It is just convenient because you do not have to enter your password every time.
#5
What does login grace time do ? Is it something like auto time out ?
#6
(05-01-2016, 12:19 PM)meetdilip Wrote: What does login grace time do ? Is it something like auto time out ?

When you connect to an SSH server then you have this time to enter your username and password. 
If the time is over and it is without authentication or you entered wrong authentication informations then you will be disconnected from the server.
#7
Actually I never thought of this, a great idea and a very informative thread indeed, might be a bit more helpful if you add the necessary OS versions to the topic's name, great attempt tho keep it up!
#8
Thanks for explaining @Dudi . I was just wondering whether or not to tamper with Login Grace Time.
#9
(10-21-2015, 04:49 PM)Dudi Wrote:
(10-21-2015, 12:51 PM)Conan Wrote: Why didn't you add using key authentication?

Also ICMP is much easier to block in iptables.

I made a passwordless tutorial too. But it is not more secure than a complex password. It is just convenient because you do not have to enter your password every time.

Sorry for the necro. I just want to reply on this.

It is MORE SECURE than a complex passwords. It would take years to crack those private keys. Who would want to brute force a 2048bit key?
Passwords are less secure and can easily be bruteforced. No one would dare bruteforce a 2048bit key unless you're a very important person.
http://FreeVPS.club - Free VPSs!
#10
I want to say that installing unattended-upgrades is unnecessary at 16.04. At my install it is yet installed, I don't know about the minimal Ubuntu installations, but if you do not have a minimal install, you can skip that step.
Pages (2):



person_pin_circle Users browsing this thread: 3 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting