Setup and Secure VPS
SECURE VPS
check if there are any login attemps from outside:
definition:
ssh: secure shell, a program and protocol for securely logging in to and running programs on remote machines across a network
Login to VPS via SSH
Updagrade Package Lists and Upgrade Packages
Check if Reboot is needed
if the output is : /var/run/reboot-required then reboot is required and run "reboot"
Change root password
paswd
create non root user
type id in the terminal... if the output is uid=0(root) then you are the root user.
adduser username
it will ask for a password... add one
allow superuser previledges
usermod -aG sudo username
sudo su - username to switch to newly created user
login as non-root user
ssh username@your-ip-address
and run command with sudo for root previledges
sudo stands for super user do
login with SSH key
make sure you are in the local machine
create a new ssh key
https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
check the ssh public key
cat .ssh/id_ed25519.pub
to check the private key
cat .ssh/id_ed25519
add the public key to the vps server...
login to the VPS...and check the current directory
pwd
create new directory named .ssh
mkdir .ssh
create a file named authorized_keys
nano .ssh/authorized_keys
paste and save the public ssh key here
next time
disable password login
if you want multiple local computers to allow ssh login then need to perform the same action as before ...add ssh key to the local machine and then add it to the vps server...
- go to the file
sudo nano /etc/ssh/sshd_config - scroll down to the PasswordAuthentication to no.
- there is another config file to update
sudo nano /etc/ssh/sshd_config.d/cloud-init.conf - restart the ssh service
sudo service ssh restart
disable root login
- go to the file
sudo nano /etc/ssh/sshd_config - scroll down to the PermitRootLogin to no.
- restart the ssh service
sudo service ssh restart
network and firewall policy
do it with ufw
Change default SSH port
- go to the file
sudo nano /etc/ssh/sshd_config - there you will find the default port for ssh
Restrict port access to specific IP
same as above
Enable and configure automatic updates
https://github.com/mvo5/unattended-upgrades?tab=readme-ov-file#supported-options-reference
check if the service is running
Cloud Config
When ordering a VPS, you can choose from one of four different installation options. One of the options available is to use a cloud config file.
With a cloud-config file you can automatically adjust the configuration of a Linux server after the installation process: During the first boot of your server, a program called cloud-init reads the data in the cloud-config file and adjusts the configuration based on this file to your wishes. For example, you can create users, set passwords, add SSH keys, add repositories, install packages and much more.
docs : https://cloudinit.readthedocs.io/en/latest/reference/examples.html
sample: https://gist.github.com/w3cj/cdd447b1a10ce741e4ee968fa6b75553
or we can follow all the steps one by one described above
Use a VPN to connect to a VPS
explore OpenVPN, WireGuard services
Configure 2FA on ubuntu
doc link: https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview
ban hosts that cause multiple authentication errors
doc link: https://github.com/fail2ban/fail2ban
The image shows that your server is receiving multiple unauthorized login attempts, likely from bots or malicious users trying to gain access to your system. This is commonly referred to as "brute-force attacks." Here’s how you can secure your server and stop these login attempts:
1. Install Fail2ban:
Fail2ban is a tool that scans your logs for suspicious login attempts and blocks IP addresses after a certain number of failed login attempts.
- Install Fail2ban:
- Start and enable the service:
- Configure Fail2ban by editing
/etc/fail2ban/jail.local. Add the following to configure the SSH jail: - Restart Fail2ban:
More about ssh config
doc link: https://www.man7.org/linux/man-pages/man5/ssh_config.5.html