All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Secure My VPS

As someone who has familiarty in working in linux but not administrative side.. Do people have a guideline of how to secure a vanilla VPS?
I tend to refer to random guides from digital ocean i.e.
https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps
Does the LET community have somewhat of a defacto guide as how to people usually approach this? I've done some things i think are simplie such as disabling root logins, fail2ban , complex passwords, changing ports for ssh.
Wondering what else is out there. Understand each application or open port you throw on there can introduce new vulnerabilities but looking for whats the typical setup if say you threw a fresh install of Almalinux, or Alpine onto a VPS
PS: The search function is sloww
Comments
I would suggest setting up a firewall and only allow the ports you're hosting on to be the only incoming ports.
https://github.com/imthenachoman/How-To-Secure-A-Linux-Server
Maybe this article would help: How to Secure a Vanilla VPS
https://ivansalloum.com/collections/linux-server-security/
Initial steps
thx these are awesome, especially that github repo, makes it a lot easier than hoping around to various blogs
Thanks for contacting Low End Support.
As per your request, your search time has been doubled.
Regards.
Dont forget to disable password logins all together!
Not really because it depends on what you are running on your 'vanilla VPS'.
Use disable passwords, instead use keys for SSH is a big one.
Changing the port does very little, it is still found and published in the various databases, it just takes a little longer.
On Debian: enable unattended-upgrades
Never heard of or use this, does this auto reboot my vps? that would be disastrous lol
I'm also just using the normal methods as mentioned by OP ie.
I think these doesn't protect me from DDOS but i leave this for the provider. Oh and I put CloudFlare (free) in front of all my VPSes and wishfully thinking it might help with malicious attempts
I would do the opposite of what everyone has said
Never update the OS
Keep port 22 open to internet. Heck, I would go further to disable ssh and enable telnet access only
Keep root login enabled
Never use a key based login
Keep simple passwords --> 123456
If you want to add bit more security, use a bigger password --> 0123456
/ₛ
Lol, I was trying to write an str_ireplace script to remove, open to closed, etc in your instructions. And, Cloudflare decided to even block typing the comment cause it thought it was an attack.
Yeah - that is kept slow so as to allow make more posts, inturn getting more comments, which garner more views.
its intentional. Dont' worry.
What I do is disable root, add it to my Tailscale account, turn on Tailscale SSH and disable ssh.
Does it need to be that complicated? For me, disabling password login is enough.
But telnet is great (or at least telnet-ssl), no one ever bothers to brute-force on telnet (everyone is so focused on ssh).
You could set up a VPN. Not the most convenient but very cool as you won't need to worry about exposed ssh
I use this terrible script I made, that should give you an idea
Or instead of changing port, pick a random IPv6 from the /64 and listen on it.
Depends on how paranoid you are... But it's better to protect even against yourself
cloudflare tunnel is also a great tool to build a web
Here are the key points for securing your server:
These measures will greatly enhance the security and reliability of your server.
Great thinking! Telnet has the added advantage that you can just put the root login details in the rejection message in case you forget them.
You need to configure it
Consider setting up a firewall, using SSH keys instead of passwords, and regularly updating your system and packages.
We do a manual install from Debian ISO or netboot.xyz.
The manual installation prevents any backdoors in the template.
During the install, the root password is left empty, so that the root account comes disabled and sudo account is generated.
Afterwards, we insert SSH public key for the user account and disable SSH password authentication.
We then change SSH port to 222, and enable UFW to only allow 222 and what's needed for applications.
Here are some of our initial setup commands, executed in sudo -i:
We will be inserting the SSH public key and writing the Netplan configuration, prior to reboot.
Changing SSH port isn't necessary for security, but can reduce SSH login failure messages caused by automated scanners.
We usually use ufw limit for the SSH port, but switch to ufw allow if we need to use rclone sftp targeting this server in which the rate limit would cause errors.
For ddos protection (somewhat, it's mostly bruteforce protection) check out fail2ban or crowdsec.
This is an AI reply isnt it?
Nope it's me
Apparently this is the reason why I don't have any friends, it's too clumsy communication.
hahaha no it's fine mate, my personal AI detector just hates lists with a passion now (especially with a conclusion sentence at the end). All good! Also who cares about friends, I have my servers' error logs to keep me company
You write pretty good then

Root login: off
SSH port: here
SSH keys: used
Do I follow this? Most times not.
Will this get rid of all attacks: no
Is there a true worry about getting your VPS hacked? 99% no, just using a strong password should be enough [I'm talking here 10+ chars with numbers & specials chars]. Most of the abuse I've seen is from well bad passwords [I'm talking here about something like
myname123
] or downloading some malware accidentally [this is the thing that most likely is going to occur].something important is keeping the system and software updated