How To Secure a VPS/VDS

How to secure a VPS/VDS

I’m sure many of us have operated a VPS at some point. It could be a one-click application from DigitalOcean/Vultr or even a VPS purchased for use as a webserver or something else.

Most providers do an “ok” job on making sure that no one can just get into your server. However, there are more things that you can do to make your VPS/VDS more secure.

Disable Root Login

The first thing you can do is disable root login. This will eliminate the possibility of gaining root access directly from the Internet. It is required that you have another user that can log in via SSH and also has sudo privileges.

First we need to create a new standard user and assign it to the sudo group. Replace user with your desired username. You’ll be prompted for various information such as full name, room number and some other things. You can simply hit ENTER to skip those.

adduser user
usermod -aG sudo user

Now let’s edit the configuration for SSH so you cannot log in as root.

nano /etc/ssh/sshd_config

You need to locate PermitRootLogin and change the value from Yes to No. You can search for strings in nano by using Ctrl + W and search for PermitRootLogin if you can’t find it.

PermitRootLogin no

Now write and close the file by hitting Ctrl + X and be sure to press y when asked to save the modified buffer. Now all we have to do is restart the SSH daemon so the settings will be applied. Before you restart the SSH daemon, please verify that you have added your new user to the sudo group!

service sshd restart

Keep in mind that you will no longer be able to login as root. You’ll have to log in as the new user you created to manage your server. To gain access to a root shell while logged in as a standard user, type the following in your terminal:

sudo su

To drop from the root shell back to your user, simply type exit.

REMEMBER: To execute commands as an administrator, you’ll need to add sudo before your command. For instance to restart a service, you’ll need to use sudo service sshd restart.

Change your SSH port

Another simple thing you can do is change your SSH port. This will help defend against brute-force scripts that are run on common SSH ports. Keep in mind that this does not hide SSH as anyone can run a port scan on your server to find it. This is simply to mitigate the attempts from pre-made scripts that look for the most common ports.

Important: If you use ufw or have a firewall on your hosting provider, you’ll need to allow this new port so you can communicate with your server. Please open/allow this new port before doing any of the following steps. If you’re using ufw, simply add the new rule with sudo ufw allow [port]/tcp. Replace [port] with your desired port number. If you use a cloud firewall, you’ll need to add it in your hosting provider’s control panel.

To get started, SSH into your server as root or as a user with sudo permissions. Once you’re in, you need to edit /etc/ssh/sshd_config. You can do that with nano.

sudo nano /etc/ssh/sshd_config

To change your port setting, find the Port line and change it to any valid port number you like. This line my also be commented out since by default SSH will run on port 22. You should see something like this:

#Port 22
#AddressFamily any
#ListenAddress ::

Simply uncomment the Port option by deleting the # and change it.

Port 57
#AddressFamily any
#ListenAddress ::

Now write and close the file by hitting Ctrl + X and be sure to press y when asked to save the modified buffer. To apply the new setting, you’ll need to restart the SSH daemon.

sudo service sshd restart

Install Fail2Ban

Fail2ban scans log files and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any other arbitrary action could also be configured.

To install Fail2Ban on Ubuntu, simply execute the following:

sudo apt update && sudo apt upgrade -y && sudo apt install fail2ban

If you’re on CentOS, do the following:

yum update && yum install epel-release && yum install fail2ban

Fail2Ban shouldn’t be used on its own. Please make sure you have added a user with sudo privileges and disable root login, as well as change up your SSH port. You don’t need to do anything after installing Fail2Ban unless you want to configure it. Configuring Fail2Ban is outside the scope of this tutorial, but you can learn more about it here. Please don’t end up locking yourself out of your own server. You have 3 attempts to log in before your IP will be blacklisted. So make sure you know your username/password/port!

Use SSH Keys

SSH keys are essential to many, and make the process of logging into a server very secure.

First we need to create the key pair. You can do this with puttygen on Windows. Simply open puttygen and generate a new key pair.

You’ll be asked to move your cursor around the blank area to create some extra randomness. Once the key has been generated, keep note of your public key. You’ll be pasting the public key into the ~./ssh/authorized_keys file on the remote server.

Now SSH into the server that you’d like to login with keys. Replace public_key_string with your public key.

mkdir -p ~/.ssh && echo public_key_string >> ~/.ssh/authorized_keys

Remember that you must do this logged in as the user you with to login with. If you want to login to the root account with SSH keys, you’ll need to login as root.

Now you can disable password authentication.

sudo nano /etc/ssh/sshd_config

Search for PasswordAuthentication and change its value to no.

Keep your server up-to-date

This is the most basic thing you can do. Keeping your server and its software up to date will usually alleviate any exploits a particular system or piece of software may have had. Granted, you have to trust the software you’re using to release updates on a regular basis. It is not recommended to use any outdated software on a production machine, as this can pose security risks.