Secure linux vps

In the digital age, securing your Linux Virtual Private Server (VPS)
is paramount for safeguarding your data and infrastructure. This
comprehensive guide explores methods to protect your Linux VPS against
cyber threats.

Keep Your System
Updated

One of the most important aspects of securing your Linux VPS is
making sure that your system is up to date. Outdated software can
contain vulnerabilities that malicious actors can exploit. Here’s how to
do it:

Use Package Manager

Most Linux distributions provide a package manager. For instance, if
you are using a Debian-based system, you can run the following commands
to update and upgrade packages:

sudo apt update
sudo apt upgrade

Copy

If you’re on a CentOS system, use yum:

sudo yum update

Copy

Set Up Automatic
Updates

Set Up Automatic Updates with unattended-upgrades on
Debian-based Systems:

On Debian-based systems like Ubuntu, you can use the
unattended-upgrades package to automate the update process.

1. Install unattended-upgrades:

sudo apt install unattended-upgrades

Copy

2. Configure the automatic update settings. Edit the configuration
   file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Copy

3. Enable automatic updates for security-related packages:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
    "${distro_id}:${distro_codename}-proposed";
    "${distro_id}:${distro_codename}-backports";
};

Copy

4. Enable and start the unattended-upgrades service:

sudo dpkg-reconfigure -plow unattended-upgrades

Copy

This command will prompt you to confirm the changes. Select “Yes” to
enable automatic updates.

Set Up Automatic Updates with yum-cron on
CentOS:

On CentOS, you can use yum-cron for automatic updates:

1. Install yum-cron:

sudo yum install yum-cron

Copy

2. Start and enable the yum-cron service:

sudo systemctl enable yum-cron
sudo systemctl start yum-cron

Copy

Use
Strong Passwords and SSH Keys for Secure Authentication

Securing your Linux VPS involves using strong authentication methods.
Whether you are connecting from a Linux or Windows client, here’s how to
use strong passwords and SSH keys effectively:

Using Strong
Passwords

When creating user accounts on your VPS, make sure that passwords are
complex, combining uppercase and lowercase letters, numbers, and special
characters. Avoid easily guessable passwords.

Using SSH Key
Authentication

For Linux Client:

1. To generate an SSH key pair on your Linux client, use the ssh-keygen
   command:

ssh-keygen -t rsa -b 2048

Copy

The public key, by default, will be stored in ~/.ssh/id_rsa.pub.

2. Copy your public key to the VPS:

ssh-copy-id user@your_server_ip

Copy

3. Disable password-based SSH login on the VPS in the SSH server
   configuration file (/etc/ssh/sshd_config):

PasswordAuthentication no

Copy

For Windows Client:

1. On Windows, use the PowerShell for similar functionality:

ssh-keygen

Copy

2. Copy your public key to the VPS using PowerShell. Replace
   IP-ADDRESS-OR-FQDN with the remote server’s
   address:

type $env:USERPROFILE\.ssh\id_rsa.pub | ssh root@{IP-ADDRESS-OR-FQDN} "cat >> .ssh/authorized_keys"

Copy

3. Disable password-based SSH login on the VPS in the SSH server
   configuration file (/etc/ssh/sshd_config):

PasswordAuthentication no

Copy

Implement a Firewall

Securing your Linux VPS involves setting up a firewall to control
incoming and outgoing traffic. Here’s how to implement a firewall to
enhance security:

Use ufw (Uncomplicated Firewall) on Debian/Ubuntu or
firewalld on CentOS:

1. Install the firewall management tool if not already installed.

For ufw on Debian/Ubuntu:

sudo apt install ufw

Copy

For firewalld on CentOS:

sudo yum install firewalld

Copy

2. Add rules to allow SSH before enabling the firewall to prevent being
   locked out:

For ufw on Debian/Ubuntu:

sudo ufw allow OpenSSH

Copy

For firewalld on CentOS:

sudo firewall-cmd --permanent --add-service=ssh

Copy

3. Enable the firewall and set default rules:

For ufw on Debian/Ubuntu:

sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

Copy

For firewalld on CentOS:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Copy

4. Reload the firewall for the changes to take effect.

For ufw on Debian/Ubuntu:

sudo ufw reload

Copy

For firewalld on CentOS:

sudo systemctl reload firewalld

Copy

Disable Root Login

Securing your Linux VPS involves restricting root access. Here’s how
to disable root login for enhanced security:

1. Create a New User: Log in to your VPS as the root user. Then create
   a new user account with sudo privileges. Replace newuserwith your
   desired username:

adduser newuser
usermod -aG sudo newuser

Copy

2. Create the .ssh Directory, authorized_keys and set permissions for
   the New User:

mkdir -p /home/newuser/.ssh
touch /home/newuser/.ssh/authorized_keys
chmod 600 /home/newuser/.ssh/authorized_keys
chown -R newuser:newuser /home/newuser/.ssh

Copy

3. Make sure to generate and copy the public key to your
   VPS.

4. Log in as the New User.

5. Disconnect from the VPS (if you’re connected as root) and log
   back in using the new user account. This ensures you can perform
   administrative tasks using sudo.

6. Edit SSH Configuration:

Open the SSH server configuration file on your VPS. This file is
usually located at /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Copy

Locate the line that reads PermitRootLogin and set it to no:

PermitRootLogin no

Copy

Save the file and exit the text editor.

7. Restart SSH Service:

After making this change, you should restart the SSH service for the
new settings to take effect:

On Debian/Ubuntu:

sudo systemctl restart ssh

Copy

On CentOS:

sudo systemctl restart sshd

Copy

Harden SSH
Configuration

Securing your Linux VPS involves further hardening the SSH
configuration for added security and ensuring that UFW rules are up to
date. Here’s how to harden your SSH settings and update the UFW
rules:

1. Allow the New SSH Port in UFW:

If you’re using UFW (Uncomplicated Firewall), first allow the new SSH
port before making changes to the default port:

# Allow the new SSH port (e.g., 2222)
sudo ufw allow 2222/tcp

Copy

2. Remove OpenSSH from UFW Rules:

After changing the SSH port, you should remove the old OpenSSH
service (default port 22) from the UFW rules to ensure that only the new
SSH port is allowed:

# Remove the old OpenSSH service (default port 22)
sudo ufw delete allow OpenSSH

Copy

3. Change the SSH Port:

By default, SSH uses port 22. Changing the default port can add an
extra layer of security by making it harder for automated bots to find
your SSH server.

Open the SSH server configuration file:

sudo nano /etc/ssh/sshd_config

Copy

Find the line that reads Port 22 and change the port number to a
different, unused port, for example, 2222:

Port 2222

Copy

4. Enable Key Reauthentication:

You can set a time limit for key reauthentication to further secure
your SSH session. This means that if you leave your SSH session
unattended, it will automatically expire after a certain time.

Add or modify the following lines in the SSH server configuration
file, then save it:

ClientAliveInterval 300
ClientAliveCountMax 2

Copy

5. Reload UFW Rules and SSH Service:

sudo ufw reload
sudo systemctl restart ssh

Copy

6. Once you’ve made the necessary changes, you can establish a new SSH
   connection using the following command:

ssh -p <new_port> user@your_server_ip

Copy

Implement Fail2Ban

Securing your Linux VPS involves protecting it from brute-force login
attempts and other types of malicious activity. Fail2Ban is a useful
tool for this purpose. Here’s how to implement Fail2Ban:

1. Install Fail2Ban:

Start by updating your package list to ensure you have the latest
available packages:

For Debian-based systems (e.g., Ubuntu):

sudo apt update

Copy

For CentOS:

sudo yum update

Copy

Install Fail2Ban:

For Debian-based systems:

sudo apt install fail2ban

Copy

For CentOS:

sudo yum install fail2ban

Copy

2. Configure Fail2Ban:

Fail2Ban’s main configuration file is located at
/etc/fail2ban/jail.conf. You can create an override
file at /etc/fail2ban/jail.local to customize settings
without modifying the default configuration. Open this file:

sudo nano /etc/fail2ban/jail.local

Copy

Add the following configuration to ban IP addresses for 10 minutes
(600 seconds) after six failed login attempts. Adjust the parameters as
needed:

[sshd]
enabled = true
maxretry = 6
findtime = 600
bantime = 600

Copy

Save the file and exit the text editor.

3. Start and Enable Fail2Ban:

Start Fail2Ban and enable it to start at boot:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Copy

4. Check Fail2Ban Status:

You can check the status of Fail2Ban to ensure it’s working as
expected:

sudo fail2ban-client status

Copy

You should see that it’s monitoring the SSH service.

The 6 essential methods discussed here provide a robust defense
against potential vulnerabilities. By keeping your system updated,
employing strong authentication, configuring firewalls, hardening SSH,
and implementing Fail2Ban, you fortify your VPS and maintain peace of
mind in the ever-connected world. If you have any questions, don’t
hesitate to contact our support team by submitting a
ticket.