New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Those are all good steps, but if you want advanced security, you can configure your VPS to allow logins only from a specific IP, such as your VPN.
top security - power off
š¤Ø
Block unused ports
Update software regularly
protect against brute force attacks (fail2ban)
Use monitoring tools
Backups
Set up email notification about SSH logins
Disable SSH login for admin/root
Change SSH port
Set a secure password better key
Perform minimal installation
Why disable root? Why change port? Why firewall? Why fail2ban? I do automated upgrades and ssh key based login that's it you don't need more.
that doesnt sound very unobservable...
I prefer adding 'ip r a black 0.0.0.0/0' to my post-up.
Never have to worry about getting hacked unless someone has a leaky control panel
just dont use colocrossing...
Besides the basics like changing the SSH port, disabling root login, disabling password login, and setting up fail2ban, I usually take a few extra steps. I set up a firewall using UFW or iptables to allow only the ports I need. I rely solely on SSH keys for authentication, no passwords at all. If Iām using any web panels like Webmin or phpMyAdmin, I enable 2FA always and I keep an eye on logs using tools like Logwatch. These small things really help keep the VPS more secure in the long run.
This kind of thread is always fun to read. Actual value near zero but fun to read. My personal favourite: post factum measures like fail2ban, ideally with auto-email...
Instead of expose your server to public, close all port and expose wireguard udp port only for ssh with mail alert
After that you can go wild on your server (I think ?)
Just unplug the utp cable.
Thats the only way of security. Maybe.
I often just change ssh port to avoid curious people, auth with secure key only with keypass, disable weak cipers & algo (see ssh-audit), disable timestamps & some things in sysctl.conf &ipv6 i don't need.
That's all, no fw or just iptables if needed restrict. Check always with netstat -patnu.
Always use a protected ddos provider.
You can do all things in the ssh tunnel, except wireguard (udp).
sudo shutdown now
why waste resources with fail2ban. just block port and allow your ip.
You've covered most of the important steps.
The only other suggestion I have is to configure your firewall to block specific countries that you don't plan on having any connections with, and to close any ports you won't need for VPS use. It is a lengthy process, but it's important to really secure a server.
A sensible tip? Here? Something must be kaputt ...
I turn on Tailscale ssh and turn off sshd
Setup 2FA for ssh logins:
https://lowendbox.com/blog/using-google-authenticator-for-ssh-and-console-connections-to-your-vps/
we have same set up, very helpful.
Disable ssh , access by vnc
I just block all the ports and open only the ports I use
I use an Oracle VPS and so far blocking all ports (from the cloud console), setting up strong passwords, key based ash login and accessing through tailscale has kept me pretty safe. Will try to implement this (https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) once I get my hands on a new server.
Note if you're using docker: I recently discovered that the default docker installation doesn't play nice with UFW and bypasses it to open ports. This isn't a problem if your provider comes with their own fw on top of your machine's fw (like that of Oracle). So make sure to read up on how to mitigate that. Though I am not sure if this is a good practice, you could alternatively only expose a reverse proxy container that shares network with containers you need to access.
Have you given podman a try? I gave it a run on a smaller VPS and it was a bit more tediuous to setup, but it shouldn't be able to mess with your firewall
No I haven't. Heard podman has issues with some containers I generally use so haven't given it a try.
However, I did find a simple script for the docker problem: ufw-docker. This adds some rules to ufw that prevents docker from exposing ports while maintaining docker's ability to maintain container networks.
Alternatively, we could also just publish ports on our local IP for local access and not worry about extra rules.