2

So I have a VPS, and I have no idea how to administer it. I understand one of the first things to do is secure it, and the first concrete step in that direction I've found so far is in moshen's comment:

Also, you should secure your SSH access as soon as possible. I recommend changing the default port, using key-based authentication and disabling password authentication and root logins (basically create a standard user account for you to log in with)

So far, all I know how to do is use my VPS provider's web interface to open a console with root access. So how do I follow moshen's advice?

Community
  • 1
brentonstrine
  • 179

4 Answers4

7

So I have a VPS, and I have no idea how to administer it.

That's the single biggest argument for managed hosting I've ever seen. Hacked servers are responsible for a large portion of the nonsense that makes the internet a bad place. Hosting phishing pages, spreading malware. If you're going to do this, I hope you do it properly.

To give you some sort of idea of the long term undertaking, I'd read through this: What Can Be Done To Secure Ubuntu Server? There are other questions like it on the site (dozens) with good answers but this one has some nice vast answers.

For SSH, I've been over all of these in long-form on my blog but the key points are:

  • Move it to another port. Something high, in the 10,000-60,000 range.
  • Install fail2ban.
  • Use key based authentication.
  • Disable password authentication.
  • Disable root login (make sure your user is in the admin group).
  • Make sure your user doesn't have a guessable name (eg admin).

Just moving the port will deflect 99.99% of drive-by hacking attempts. fail2ban will stop any brute attempts from being viable. Forcing key-based auth means the number of guesses a brute would take is now in the range of billions of billions. Disabling root login and having a harder-to-guess username means they don't even have a username with which to start bruting: they have to brute for the username before they even get to the password element.

This results in a fairly secure SSH server. There would have to be a pretty horrific exploit in it for people to get through it... But don't put all your focus on making the door as impenetrable as possible and then ignoring the open window.

  • Web applications (of all dynamic languages) are hackable. If you're using open source scripts, you need to keep on top of their updates.
  • A firewall should be stopping people getting to services that shouldn't be exposed to the internet (MySQL for example).
  • Otherwise secure services will let people right in if you're not applying patches to them (and restarting them after patching).
Community
  • 1
Oli
  • 299,380
0

If you have a network, the recommended way to secure ssh is to use the AllowUsers statement with a username and ip address. It will limit connecting to the server to just the username and ip address specified and no one else, for example, AllowUsers user1@192.168.1.75 allows the username user1 that's required to be previously already created on the server, and it must have the ip address 192.168.1.75 and this one line statement will block all other connections that do not have that username and unique ip address.

So say you want to secure a computer with an ip of 192.168.1.106 and you already installed ssh on it, and want the following computers to connect to it, 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4, and 192.168.1.5, then create five AllowUsers statements at the end of your /etc/ssh/sshd_config on the server to do this.

AllowUsers user1@192.168.1.1
AllowUsers user1@192.168.1.2
AllowUsers user1@192.168.1.3
AllowUsers user1@192.168.1.4
AllowUsers user1@192.168.1.5

The same username is used in each statement or vary the username (whatever), and only these five computers on the network are allowed to connect to the ssh server, after you restart the ssh server, service ssh restart. Now you have a secure network to connect to the server computer without worrying and can rest easy knowing that AllowUsers is preventing any attempts from any bad or unknown computers actually connecting to our safe network. This is how I secure my production servers and computers to them to connect with each other including to connect server to server this way. Happy coding.

Stan S.
  • 487
0

For start what you actually only need to do is add your user, by typing in:

adduser username
usermod -a -G sudo username

After you supply your password and other data you can login into your server as user using ssħ username@yourserverip. You can still run root commands using sudo for ex.

sudo apt-get install something

I recommend making root password strong using command:

passwd

...as root which will issue password changing.

There's no need to change ssh port if you have strong passwords, ssh is secure enough and it's totally ok to run it on default port. Ssh will be the last thing hackers will hack if that would be the case.

offlinehacker
  • 149
0

To change sshd settings open /etc/ssh/sshd_config file change file as you need. To change the port search fort Port 22 line and change the 22 to another value for example 4530.

So when you connect to your server via ssh you have to use ssh user@host -p 4530

Disable root login change PermitRootLogin yes to PermitRootLogin no

Most of the time key based authentication is enabled by default but make sure it is enabled PubkeyAuthentication yes.

Before disabling the password authentication create a ssh key for you using ssh-keygen if you haven't before and add it to your VPS user account. usually ~/.ssh/authorized_keys

First check your keybased authentication is working and then disable the password authentication - PasswordAuthentication yes

Then install a tool like denyhosts to block IPs from accessing sshd.

Manula Waidyanatha
  • 8,755