How to secure a VPS server?

1. Disable root login

Do you want your VPS to be safe? Never log in as a root user.

On each VPS, by default you will login as “root”, we are exposed then brute force attacks by which the hacker can access our vps. Turning off the login “root” adds another layer of security, the hacker in addition to the password must also guess the user’s name which significantly hinders his task.

Instead of logging in as the root user, you must create a different user name and use the “sudo” command to execute the root level command.

sudo – a program used in GNU / Linux, Unix and similar operating systems, in order to enable users to run the application as a different system user. Most often it is used to run applications reserved for an administrator called root.

Remember to create a user other than root before you disable the “root” account and give it the appropriate level of authorization.

When you’re ready, open the / etc / ssh / sshd_config file in nano or vi and find the “PermitRootLogin” parameter.

By default “yes” will be selected.

Change it to “no” and save changes.

2. Change the SSH port


Ciężko jest hakować połączenie SSH, gdy nie można go znaleźć. Zmiana numeru portu SSH może uniemożliwić złośliwym skryptom bezpośrednie połączenie z portem domyślnym (22).

To do this, you need to open / etc / ssh / sshd_config check #port 22 and enter the selected prot

Remember to check carefully whether the selected port number is being used by other services – not to conflict service!

On my vps after port change, the login attempt has dropped to zero …

and that was how it looked before the changes

3. Update the server software

You can simply use the rpm / yum package manager (CentOS / RHEL) or apt-get (Ubuntu / Debian) to upgrade to newer versions of installed software, modules and components.

You can even configure the operating system to send email package update notifications. This makes it easier to track changes. If you want to automate the task, you can set up cronjob to apply all available security updates on your behalf.

In addition, avoid installing unnecessary software, packages and services to minimize potential threats. It also has a positive side effect to improve server performance!

4. Disable IPv6


IPv6 has several advantages over IPv4, but you probably do not use it.

IPv6 (Internet Protocol version 6) – a communication protocol, which is the successor to the IPv4 protocol, which was mainly due to the problem of a small, ending number of IPv4 addresses. The basic tasks of the new version of the protocol are to increase the space of available addresses by increasing the address length from 32-bits to 128-bits, simplifying the protocol header and ensuring its flexibility by introducing extensions, as well as introducing support for service classes, authentication and data integrity.

Hackers often send malicious traffic over IPv6, and leaving an open protocol can expose you to potential exploits. To fix the problem, edit / etc / sysconfig / network and update the settings so that they look like NETWORKING_ IPV6 = no and IPV6INIT = no.

5. Login ssh using the RSA key

Another option to avoid brutforce is to simply disable login with a password, in order to log in to the server the system will require a unique RSA key without which you will not be able to log in. Before we do that, we need to generate a pair of keys to log in. public and private key.

Each key consists of two halves: public and private.

Private half (usually stored in a file named identity or id belongs only to the owner of the key and should be protected from access by unauthorized persons.

Public half (usually stored in a file named identity.pub or id.pub is used to check if a person uses the matching half of a private key when logging in.

In this way, anyone who has a public half (eg a vps server) can check if the other party (key user) has the correct private half. The public half of the key does not contain information that allows you to impersonate the owner of the key – that is why it may be public (published on the website, sent via e-mail, etc.).

On Linux, we will generate the RSA key with the command:

ssh-keygen // generate key

After executing the command, choose the location /home/user/.ssh/id_rsa and confirm with enter, optionally we can protect the key with a password or continue without an additional password to access the key.

Once we have the keys, we must send our public key to the server using the command and confirm the password transfer.

ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] 
// ssh-copy-id -i your_key [email protected]_ip 

Now when logging in, the system no longer requires a password from us, it uses the key that we sent it. Then all you need to do is to disable logging in with the password by editing the / etc / ssh / sshd_config file and changing the PasswordAuthentication value to no.

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

ATTENTION !!! if we accidentally delete the generated keys, we will not be able to log into the server unless the vps provider allows adding keys by the server manager, eg google cloud, digital ocean

Leave a Reply

Your email address will not be published.