#1 2017-04-26 10:35:13

defong
Trusted Member
Registered: 2013-05-10
Posts: 14

How to secure VPS

Need a bit of brainstorm, its been ages since I dealt with Linux, mainly a windows guy.

So the context is you got the vps, you install debian OS.

You managed to ssh on to the VPS as root.

Where to go from there, everything bar from deploying a web server?

Offline

#2 2017-04-26 14:06:57

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,298
Website

Re: How to secure VPS

depends on the distro you have (most often debian on LES) and the web server you would like to run.

You could go with this guide to setup a Nibbleblog: https://www.lowendguide.com/3/webserver … -lighttpd/
Or Ghost: https://www.lowendguide.com/3/webserver … d-mariadb/

that is two of many guides that you could do, please be a bit more specific

Offline

#3 2017-04-26 16:02:26

defong
Trusted Member
Registered: 2013-05-10
Posts: 14

Re: How to secure VPS

opps


I meant more of system admin tasks

like
sshd_config settings
user and group setup
fail2ban
ufw
iptable

that kind of thing

all prior to setting up a webserver

In a sense you literally just got the Debian OS up and running, and only have the root user to begin with.

I kept finding I just jump in as root and setup a webserver

Offline

#4 2017-05-02 14:39:25

lemon
Trusted Member
Registered: 2015-08-27
Posts: 139

Re: How to secure VPS

probably just the host node needs a firewall setup, because nobody knows ur assigned ports.
apache or nginx dont run as root by default, you can edit this in the config.
if you want max security when logging in via ssh change the port and use login via key.
and/or disable root login via password

Last edited by lemon (2017-05-02 14:40:07)

Offline

#5 2017-05-03 08:23:57

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,298
Website

Re: How to secure VPS

defong wrote:

opps
I meant more of system admin tasks

like
sshd_config settings
user and group setup
fail2ban
ufw
iptable

that kind of thing

all prior to setting up a webserver

In a sense you literally just got the Debian OS up and running, and only have the root user to begin with.

I kept finding I just jump in as root and setup a webserver

 
 
Well, in general I google alternatives for a specific task I need to be done, then read up on the alternatives and if needed, ask specific questions ... Like "How do I disable root logins on SSH?".
Asking a wide generic question will almost never give you an answer that you like, since no one knows what you are thinking smile

You will probably end up with a bunch of suggestions that will give you more options than you started with and the result is that you say "f*ck it, I don't need it anymore" and you end up with an unsecure system.

My best advice is to "be as specific as you can be" when asking questions, help me to help you. smile

I will now post some links to pdf files on the "system admin tasks" topic and I bet that you will say "I'm not reading that much text" tongue

http://www.tldp.org/LDP/sag/sag.pdf
http://linux-training.be/linuxsys.pdf
ftp://ftp.micronet-rostov.ru/linux-supp … 202010.pdf
http://www.linuxtraining.co.uk/download … odules.pdf


lftc_evolution_sysadmin.jpg

Offline

#6 2017-05-03 09:55:41

WSS
Trusted Member
Registered: 2016-12-22
Posts: 255

Re: How to secure VPS

as @mikho says, we really need more information to assist you in helping yourself.  So, you've installed Debian- cool.  Which version?   Did you add the backports repository and upgrade everything?  Have you got any local SQL service locked to localhost (it is by default)?  Have you made a non-root user after installing sudo so you can actually use your system after disabling root login via ssh?


RbyeR4Nm.png

Offline

#7 2017-05-09 08:14:07

defong
Trusted Member
Registered: 2013-05-10
Posts: 14

Re: How to secure VPS

Thanks guys,

I know I've asked in a very broad manner. but at least I can refer back to here.

@mikho thanks for posting those pdf, I will try to get around to reading it all someday, probably the one with less thean 300 pages.


@WSS
backports repository, never known about that, just generally use the default or added repository to /etc/apt/sources.list

so I guess my task list is
apt-get update
apt-get upgrade

Create a non-root user
    play around with sshd_config settings
    user to login via private key
    disable user to login via password
Install sudo
Test it then
    disable root login
then restrict ssh via ip /fail2ban
workout how to use group

Offline

#8 2017-05-20 17:06:30

CheapPatzer
Trusted Member
Registered: 2015-05-20
Posts: 12

Re: How to secure VPS

I don't recommend fail2ban unless you have another stable way to get into your server should you become locked out.

The way fail2ban works it that multiple, failed attempts will cause the server to firewall the IP address that is the source of the failures.  Generally, you'll need to access the machine through the physical console (which you wouldn't have access to in this case) or the virtual serial console to correct the issue.  Unless you're skilled at doing this and sure that it will work it is better to handle this in another way.

My suggestion is to move SSH to a non-default port (which is standard here on LES if you are accessing your server over IPv4 due to NAT) and to disable passworded login.  Then password guessing attempts (which seem to be the bulk of what fail2ban is used to prevent again) can't work.

If you run into someone hammering your server with login requests then you can manually update your firewall rules.

Last edited by CheapPatzer (2017-05-20 17:07:01)


No caffeine and no chess make CheapPatzer go something something...

Offline

#9 2017-05-20 19:55:47

WSS
Trusted Member
Registered: 2016-12-22
Posts: 255

Re: How to secure VPS

You can easily whitelist your own IP(s) with Fail2ban.   I don't recommend Fail2ban, because sshguard is a much better product and doesn't require Python.

Also, since wheezy is long dead and it's unlikely for many of us to upgrade to Jessie- you can use wheezy-backports-sloppy.  It will give you binaries that won't sidegrade to Jessie perfectly, but they're often newer than what's in wheezy-backports.

Last edited by WSS (2017-05-20 20:55:32)


RbyeR4Nm.png

Offline

Board footer