Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Secure My VPS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Secure My VPS

BeniskickbuttBeniskickbutt Member
edited January 22 in Help

As someone who has familiarty in working in linux but not administrative side.. Do people have a guideline of how to secure a vanilla VPS?

I tend to refer to random guides from digital ocean i.e.
https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps

Does the LET community have somewhat of a defacto guide as how to people usually approach this? I've done some things i think are simplie such as disabling root logins, fail2ban , complex passwords, changing ports for ssh.

Wondering what else is out there. Understand each application or open port you throw on there can introduce new vulnerabilities but looking for whats the typical setup if say you threw a fresh install of Almalinux, or Alpine onto a VPS

PS: The search function is sloww :(

Thanked by 1plumberg
«1

Comments

  • chitreechitree Member
    edited January 22

    I would suggest setting up a firewall and only allow the ports you're hosting on to be the only incoming ports.

    Thanked by 1Beniskickbutt
  • AndreixAndreix Member, Host Rep
    edited January 22

    Maybe this article would help: How to Secure a Vanilla VPS

  • https://ivansalloum.com/collections/linux-server-security/

    Initial steps

    • disable root login
    • change ssh port
    • key based auth
  • thx these are awesome, especially that github repo, makes it a lot easier than hoping around to various blogs

  • @Beniskickbutt said: PS: The search function is sloww

    Thanks for contacting Low End Support.
    As per your request, your search time has been doubled.

    Regards.

  • @ShadowLurker said:
    https://ivansalloum.com/collections/linux-server-security/

    Initial steps

    • disable root login
    • change ssh port
    • key based auth

    Dont forget to disable password logins all together!

  • kevindskevinds Member, LIR

    @Beniskickbutt said:
    As someone who has familiarty in working in linux but not administrative side.. Do people have a guideline of how to secure a vanilla VPS?

    Not really because it depends on what you are running on your 'vanilla VPS'.

    Use disable passwords, instead use keys for SSH is a big one.

    Changing the port does very little, it is still found and published in the various databases, it just takes a little longer.

    Thanked by 1Beniskickbutt
  • On Debian: enable unattended-upgrades :wink:

  • @Carlin0 said:
    On Debian: enable unattended-upgrades :wink:

    Never heard of or use this, does this auto reboot my vps? that would be disastrous lol

    I'm also just using the normal methods as mentioned by OP ie.

    • changing SSH port
    • use of SSH key
    • Disable password authentication
    • UFW

    I think these doesn't protect me from DDOS but i leave this for the provider. Oh and I put CloudFlare (free) in front of all my VPSes and wishfully thinking it might help with malicious attempts :wink:

  • plumbergplumberg Veteran, Megathread Squad

    I would do the opposite of what everyone has said

    Never update the OS
    Keep port 22 open to internet. Heck, I would go further to disable ssh and enable telnet access only
    Keep root login enabled
    Never use a key based login
    Keep simple passwords --> 123456
    If you want to add bit more security, use a bigger password --> 0123456

    /ₛ

  • @plumberg said:
    I would do the opposite of what everyone has said

    Never update the OS
    Keep port 22 open to internet. Heck, I would go further to disable ssh and enable telnet access only
    Keep root login enabled
    Never use a key based login
    Keep simple passwords --> 123456
    If you want to add bit more security, use a bigger password --> 0123456

    /ₛ

    Lol, I was trying to write an str_ireplace script to remove, open to closed, etc in your instructions. And, Cloudflare decided to even block typing the comment cause it thought it was an attack. :lol:

    Thanked by 1plumberg
  • plumbergplumberg Veteran, Megathread Squad

    @Beniskickbutt said:

    PS: The search function is sloww :(

    Yeah - that is kept slow so as to allow make more posts, inturn getting more comments, which garner more views.

    its intentional. Dont' worry.

    Thanked by 1Beniskickbutt
  • What I do is disable root, add it to my Tailscale account, turn on Tailscale SSH and disable ssh.

    Thanked by 1Beniskickbutt
  • edited January 23

    Does it need to be that complicated? For me, disabling password login is enough.

  • @plumberg said:
    I would do the opposite of what everyone has said

    Never update the OS
    Keep port 22 open to internet. Heck, I would go further to disable ssh and enable telnet access only

    But telnet is great (or at least telnet-ssl), no one ever bothers to brute-force on telnet (everyone is so focused on ssh).

    Thanked by 1plumberg
  • emaiIemaiI Member
    edited January 23

    You could set up a VPN. Not the most convenient but very cool as you won't need to worry about exposed ssh

    I use this terrible script I made, that should give you an idea

    Or instead of changing port, pick a random IPv6 from the /64 and listen on it.

    @cookrobert8418 said:
    Does it need to be that complicated? For me, disabling password login is enough.

    Depends on how paranoid you are... But it's better to protect even against yourself

  • cloudflare tunnel is also a great tool to build a web

  • MivoCloudMivoCloud Member, Host Rep

    Here are the key points for securing your server:

    1. Configure a firewall: Protect your server by setting up a firewall to block unauthorized access and allow only necessary traffic.
    2. Disable remote root access: Reduce vulnerabilities by restricting direct remote access to the root account.
    3. Use a strong password: Ensure your passwords are complex, unique, and secure to prevent unauthorized access.
    4. Set up and use a VPN: For enhanced security, configure a VPN to access the server instead of exposing it directly to the internet.
    5. Implement server monitoring: Regularly monitor your server's performance and review logs to gain insights into activity and detect potential issues.

    These measures will greatly enhance the security and reliability of your server.

  • silunsilun Member

    @plumberg said:
    Keep port 22 open to internet. Heck, I would go further to disable ssh and enable telnet access only
    Keep root login enabled

    Great thinking! Telnet has the added advantage that you can just put the root login details in the rejection message in case you forget them.

    Thanked by 1plumberg
  • @truemagic said:

    @Carlin0 said:
    On Debian: enable unattended-upgrades :wink:

    Never heard of or use this, does this auto reboot my vps? that would be disastrous lol

    You need to configure it

  • @Beniskickbutt said:
    As someone who has familiarty in working in linux but not administrative side.. Do people have a guideline of how to secure a vanilla VPS?

    I tend to refer to random guides from digital ocean i.e.
    https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps

    Does the LET community have somewhat of a defacto guide as how to people usually approach this? I've done some things i think are simplie such as disabling root logins, fail2ban , complex passwords, changing ports for ssh.

    Wondering what else is out there. Understand each application or open port you throw on there can introduce new vulnerabilities but looking for whats the typical setup if say you threw a fresh install of Almalinux, or Alpine onto a VPS

    PS: The search function is sloww :(

    Consider setting up a firewall, using SSH keys instead of passwords, and regularly updating your system and packages.

  • yoursunnyyoursunny Member, IPv6 Advocate

    We do a manual install from Debian ISO or netboot.xyz.
    The manual installation prevents any backdoors in the template.
    During the install, the root password is left empty, so that the root account comes disabled and sudo account is generated.

    Afterwards, we insert SSH public key for the user account and disable SSH password authentication.
    We then change SSH port to 222, and enable UFW to only allow 222 and what's needed for applications.

    Here are some of our initial setup commands, executed in sudo -i:

    echo 'set enable-bracketed-paste off' >> /etc/inputrc
    
    echo -e 'APT::Install-Recommends "no";\nAPT::Install-Suggests "no";' >/etc/apt/apt.conf.d/80custom
    echo -e 'ListenAddress ::\nPort 222\nPasswordAuthentication no' > /etc/ssh/sshd_config.d/80custom.conf
    sed -i -E '/^#?SystemMaxUse=/ s|.*|SystemMaxUse=50M|' /etc/systemd/journald.conf
    echo -e 'net.core.default_qdisc=fq\nnet.ipv4.tcp_congestion_control=bbr' > /etc/sysctl.d/80-tcp-bbr.conf
    echo -e 'net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1' >/etc/sysctl.d/80-ipfwd.conf
    
    sed -i '/cdrom:/ d' /etc/apt/sources.list
    apt update
    apt purge -y nano
    echo -e 'iperf3 iperf3/start_daemon boolean false' | debconf-set-selections
    echo | apt install -y curl git htop httpie iotop iperf3 jq mtr-tiny netplan.io screen tcpdump ufw vim
    EDITOR="sed -i '/^%sudo/ s/ALL$/NOPASSWD: ALL/'" visudo
    
    ufw limit 222/tcp
    yes | ufw enable
    ufw deny out 25/tcp
    ufw allow 5201
    ufw allow 2015/tcp
    

    We will be inserting the SSH public key and writing the Netplan configuration, prior to reboot.

    Changing SSH port isn't necessary for security, but can reduce SSH login failure messages caused by automated scanners.
    We usually use ufw limit for the SSH port, but switch to ufw allow if we need to use rclone sftp targeting this server in which the rate limit would cause errors.

    Thanked by 1Beniskickbutt
  • For ddos protection (somewhat, it's mostly bruteforce protection) check out fail2ban or crowdsec.

    @MivoCloud said:
    Here are the key points for securing your server:

    1. Configure a firewall: Protect your server by setting up a firewall to block unauthorized access and allow only necessary traffic.
    2. Disable remote root access: Reduce vulnerabilities by restricting direct remote access to the root account.
    3. Use a strong password: Ensure your passwords are complex, unique, and secure to prevent unauthorized access.
    4. Set up and use a VPN: For enhanced security, configure a VPN to access the server instead of exposing it directly to the internet.
    5. Implement server monitoring: Regularly monitor your server's performance and review logs to gain insights into activity and detect potential issues.

    These measures will greatly enhance the security and reliability of your server.

    This is an AI reply isnt it?

    Thanked by 1Beniskickbutt
  • MivoCloudMivoCloud Member, Host Rep

    @wadhah said:
    For ddos protection (somewhat, it's mostly bruteforce protection) check out fail2ban or crowdsec.

    @MivoCloud said:
    Here are the key points for securing your server:

    1. Configure a firewall: Protect your server by setting up a firewall to block unauthorized access and allow only necessary traffic.
    2. Disable remote root access: Reduce vulnerabilities by restricting direct remote access to the root account.
    3. Use a strong password: Ensure your passwords are complex, unique, and secure to prevent unauthorized access.
    4. Set up and use a VPN: For enhanced security, configure a VPN to access the server instead of exposing it directly to the internet.
    5. Implement server monitoring: Regularly monitor your server's performance and review logs to gain insights into activity and detect potential issues.

    These measures will greatly enhance the security and reliability of your server.

    This is an AI reply isnt it?

    Nope it's me :D

  • MivoCloudMivoCloud Member, Host Rep

    @wadhah said:
    For ddos protection (somewhat, it's mostly bruteforce protection) check out fail2ban or crowdsec.

    @MivoCloud said:
    Here are the key points for securing your server:

    1. Configure a firewall: Protect your server by setting up a firewall to block unauthorized access and allow only necessary traffic.
    2. Disable remote root access: Reduce vulnerabilities by restricting direct remote access to the root account.
    3. Use a strong password: Ensure your passwords are complex, unique, and secure to prevent unauthorized access.
    4. Set up and use a VPN: For enhanced security, configure a VPN to access the server instead of exposing it directly to the internet.
    5. Implement server monitoring: Regularly monitor your server's performance and review logs to gain insights into activity and detect potential issues.

    These measures will greatly enhance the security and reliability of your server.

    This is an AI reply isnt it?

    Apparently this is the reason why I don't have any friends, it's too clumsy communication.

    Thanked by 1Beniskickbutt
  • @MivoCloud said:

    @wadhah said:
    For ddos protection (somewhat, it's mostly bruteforce protection) check out fail2ban or crowdsec.

    @MivoCloud said:
    Here are the key points for securing your server:

    1. Configure a firewall: Protect your server by setting up a firewall to block unauthorized access and allow only necessary traffic.
    2. Disable remote root access: Reduce vulnerabilities by restricting direct remote access to the root account.
    3. Use a strong password: Ensure your passwords are complex, unique, and secure to prevent unauthorized access.
    4. Set up and use a VPN: For enhanced security, configure a VPN to access the server instead of exposing it directly to the internet.
    5. Implement server monitoring: Regularly monitor your server's performance and review logs to gain insights into activity and detect potential issues.

    These measures will greatly enhance the security and reliability of your server.

    This is an AI reply isnt it?

    Apparently this is the reason why I don't have any friends, it's too clumsy communication.

    hahaha no it's fine mate, my personal AI detector just hates lists with a passion now (especially with a conclusion sentence at the end). All good! Also who cares about friends, I have my servers' error logs to keep me company :D

    Thanked by 1MivoCloud
  • zGatozGato Member

    @MivoCloud said:

    @wadhah said:
    For ddos protection (somewhat, it's mostly bruteforce protection) check out fail2ban or crowdsec.

    @MivoCloud said:
    Here are the key points for securing your server:

    1. Configure a firewall: Protect your server by setting up a firewall to block unauthorized access and allow only necessary traffic.
    2. Disable remote root access: Reduce vulnerabilities by restricting direct remote access to the root account.
    3. Use a strong password: Ensure your passwords are complex, unique, and secure to prevent unauthorized access.
    4. Set up and use a VPN: For enhanced security, configure a VPN to access the server instead of exposing it directly to the internet.
    5. Implement server monitoring: Regularly monitor your server's performance and review logs to gain insights into activity and detect potential issues.

    These measures will greatly enhance the security and reliability of your server.

    This is an AI reply isnt it?

    Nope it's me :D

    You write pretty good then

    Thanked by 1Beniskickbutt
  • skorupionskorupion Member, Host Rep

    Root login: off
    SSH port: here
    SSH keys: used

    Do I follow this? Most times not.
    Will this get rid of all attacks: no
    Is there a true worry about getting your VPS hacked? 99% no, just using a strong password should be enough [I'm talking here 10+ chars with numbers & specials chars]. Most of the abuse I've seen is from well bad passwords [I'm talking here about something like myname123] or downloading some malware accidentally [this is the thing that most likely is going to occur].

  • something important is keeping the system and software updated

Sign In or Register to comment.