LowEndSpirit Forum

PLEASE READ

***********

This forum will be gone in 2020 please use: https://talk.lowendspirit.com for news, updates and offers, support will be handled directly by your VPS provider via their ticket system from now on

***********

PLEASE READ

***** Link New Forum Link New Forum Link New Forum Link New Forum Link New Forum Link *****

PLEASE READ

You are not logged in.

#1 2014-08-06 17:57:37

zeph
Trusted Member
Registered: 2014-08-02
Posts: 20

Fundamental Securing of a VPS

These are my basic steps when I get a new VPS/Server. I hope somebody finds this useful.

Step 0: Change the password of root

When you first login into you server, you should always change your root password. Your password should have at least 15 alphanumerical characters.
To change a password, enter the following command: (You will not see any entered characters, but you will be asked to enter your password twice)

Step 1: Create a new User

Nevertheless you should NEVER login as root. So you need a new user. Create one with the following command:

[email protected]:/# adduser –-shell /bin/bash <username> 

You will be asked to enter a password (keep in mind, you should use 15 characters at least) for the new account and to enter some details for the recent added account.

Step 2: Permit Root Login

After we created a new account, we should disable the root-login via SSH.
Edit the /etc/ssh/sshd_config, and change the PermitRootLogin option to no.
Just restart the ssh server with

/etc/init.d/ssh restart

Now open a new connection to your server, to test the connection. Keep in mind that you must login as a user.

Step 3: Login via SSH Certificate

As the last step, you should generate one or more SSH certificates to login to your server.
Warning! You will not be able to login via your password anymore. It is also important to protect your SSH-Certificate.
For Windows you can create a ssh-cerificate with putty gen. Make sure to save the private key. This key is going to be your password.
Copy the public key into a file in /home/<username>/.ssh/authorized_keys. (Make sure that the file has 600 as file attribute) Uncomment in the /etc/ssh/sshd_config the option PasswordAuthentication and set the option to no. Restart the ssh server.
Open a second putty session. To enter a private key into putty go to Connection->SSH->Auth and select the private key. 
You should now be able to logon to you VPS only via your newly created user, and only with the generated ssh Certifcate. If you cannot login you should set the PasswordAuthentication to yes and restart your ssh daemon. You should now be able to login via your user and your given password.
I am not responsible to any damage to your server!

Last edited by zeph (2014-08-07 17:41:07)

Offline

#2 2014-08-06 21:42:38

CheapskatesUnion
Trusted Member
Registered: 2014-07-27
Posts: 55

Re: Fundamental Securing of a VPS

zeph wrote:

Edit the /etc/ssh/sshd_config, and change the PermitRootLogin option to no.

Newer versions of ssh allow you to set PermitRootLogin to without-password which means that you can log in as root but only with a key which is reasonably safe and even more convenient than logging in with a password.

Offline

#3 2014-08-06 22:16:47

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,838
Website

Offline

#4 2014-08-07 06:03:02

bWolf
Trusted Member
Registered: 2014-06-18
Posts: 97

Re: Fundamental Securing of a VPS

Bottom:

"Post by user mikeyur and the thread is here" <-
It should be 'zeph'.

If someone has some spare time, topics to add:
-add update / upgrade to the guide (only updated systems are secure)
-add faillog / fail2ban
-add Iptables / ip6tables / nftables
-add guide on logs
-add disable icmp / broadcast (via settings or firewall)

Offline

#5 2014-08-07 09:20:47

Tripleflix
Trusted Member
Registered: 2014-05-12
Posts: 80

Re: Fundamental Securing of a VPS

been playing with fail2ban on my kimsufi for a while now, might make it into a guide..

Offline

#6 2014-08-07 12:00:33

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,838
Website

Re: Fundamental Securing of a VPS

bWolf wrote:

Bottom:

"Post by user mikeyur and the thread is here" <-
It should be 'zeph'.

If someone has some spare time, topics to add:
-add update / upgrade to the guide (only updated systems are secure)
-add faillog / fail2ban
-add Iptables / ip6tables / nftables
-add guide on logs
-add disable icmp / broadcast (via settings or firewall)

updated the author. man, is my face red now, embarrassing.

also updated the frontpage for the guides into more sections, makes it easier to add different parts like the suggestions above.

Offline

#7 2014-09-01 18:27:06

alexjj
Trusted Member
Registered: 2014-09-01
Posts: 8

Re: Fundamental Securing of a VPS

I've always used linode's guide to securing a VPS: https://www.linode.com/docs/security/se … ur-server/

Offline

Board footer

Powered by FluxBB