All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Box Security
I generally just create a secure password for my account with a provider and a secure password for root access to a VPS. On the scale of not bothered to tin foil hat I'm closer to not bothered but appreciate that I don't want/shouldn't leave easy access to resources for people to abuse.
I don't host anything massively secretive or important, and all of it can be replaced, it's just a slight headache when I have to.
Noticed tonight that one of my VPS' which had its OS magically reinstalled also had a couple of extra users in /etc/passwd (vpn related usernames). Looking at logs it'd seem to be a SSH brute force attempt, though I am with a few sh1tty providers and I wouldn't be surprised if their own security leads to any access to my box. I've since added some iptable rules for SSH access.
Anyways, the question is, what do you do, by default, to secure your own box?
Off the top off my head I'm thinking:
- Obviously, long difficult to guess passwords.
- Disable/remove any outward facing services you don't use
- Whitelist IPs for SSH access if possible, otherwise disable SSH access for root
Anything in particular that you do?
Comments
Never say "Security".
Maybe you could use two-factor authentication。
Would you prefer 'more secure'?
I forgot to mention disabling SSH password access completely and just using an RSA/DSA key. I add my key to all new servers so that's something I might implement.
disable password login
different ssh port
disable root login
strong passwords for sudo
basic stuff gets the job done
add: don't run things as root if you can help it.
Pretty much this, minus changing the ssh port which doesn't so much other than cut down on the crap in the logs.
I always use pub key auth and disallow root login. It's easy enough to login as an unprivileged user and su to root if needed.
Never reuse your passwords. Use a password manager.
Set up iptables to filter access to a whitelist of IPs for your SSH port, if possible.
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
I'd agree with this. It's better to use port knocking like knockd instead of changing your SSH default port.
At the very list, I restrict SSH access to specific users on specific IPs, so only my VPN connections can get in.
Fail2Ban is also so easy to setup, there's really no excuse not to do so. If it's a slow day at work, I'll stick CSF on too. But mostly I can only be arsed with the first one.
Be aware of knockd must be high-available and auto restarted in any case, otherwise, you ssh is inaccessible.
I've never had issues with it, but good to know.