Show Categories

Categories

General

Windows

Linux

How to Secure a Linux VPS

In the digital age, securing your Linux Virtual Private Server (VPS) is paramount for safeguarding your data and infrastructure. This comprehensive guide explores methods to protect your Linux VPS against cyber threats.

Keep Your System Updated

One of the most important aspects of securing your Linux VPS is making sure that your system is up to date. Outdated software can contain vulnerabilities that malicious actors can exploit. Here's how to do it:

Use Package Manager

Most Linux distributions provide a package manager. For instance, if you are using a Debian-based system, you can run the following commands to update and upgrade packages:

sudo apt update
sudo apt upgrade

If you're on a CentOS system, use yum:

sudo yum update

Set Up Automatic Updates

Set Up Automatic Updates with unattended-upgrades on Debian-based Systems:

On Debian-based systems like Ubuntu, you can use the unattended-upgrades package to automate the update process.

  1. Install unattended-upgrades:
sudo apt install unattended-upgrades
  1. Configure the automatic update settings. Edit the configuration file:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
  1. Enable automatic updates for security-related packages:
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
    "${distro_id}:${distro_codename}-proposed";
    "${distro_id}:${distro_codename}-backports";
};
  1. Enable and start the unattended-upgrades service:
sudo dpkg-reconfigure -plow unattended-upgrades

This command will prompt you to confirm the changes. Select "Yes" to enable automatic updates.

Set Up Automatic Updates with yum-cron on CentOS:

On CentOS, you can use yum-cron for automatic updates:

  1. Install yum-cron:
sudo yum install yum-cron
  1. Start and enable the yum-cron service:
sudo systemctl enable yum-cron
sudo systemctl start yum-cron

Use Strong Passwords and SSH Keys for Secure Authentication

Securing your Linux VPS involves using strong authentication methods. Whether you are connecting from a Linux or Windows client, here's how to use strong passwords and SSH keys effectively:

Using Strong Passwords

When creating user accounts on your VPS, make sure that passwords are complex, combining uppercase and lowercase letters, numbers, and special characters. Avoid easily guessable passwords.

Using SSH Key Authentication

For Linux Client:

  1. To generate an SSH key pair on your Linux client, use the ssh-keygen command:
ssh-keygen -t rsa -b 2048

The public key, by default, will be stored in ~/.ssh/id_rsa.pub.

  1. Copy your public key to the VPS:
ssh-copy-id user@your_server_ip
  1. Disable password-based SSH login on the VPS in the SSH server configuration file (/etc/ssh/sshd_config):
PasswordAuthentication no

For Windows Client:

  1. On Windows, use the PowerShell for similar functionality:
ssh-keygen
  1. Copy your public key to the VPS using PowerShell. Replace IP-ADDRESS-OR-FQDN with the remote server's address:
type $env:USERPROFILE\.ssh\id_rsa.pub | ssh root@{IP-ADDRESS-OR-FQDN} "cat >> .ssh/authorized_keys"
  1. Disable password-based SSH login on the VPS in the SSH server configuration file (/etc/ssh/sshd_config):
PasswordAuthentication no

Implement a Firewall

Securing your Linux VPS involves setting up a firewall to control incoming and outgoing traffic. Here's how to implement a firewall to enhance security:

Use ufw (Uncomplicated Firewall) on Debian/Ubuntu or firewalld on CentOS:

  1. Install the firewall management tool if not already installed.

For ufw on Debian/Ubuntu:

sudo apt install ufw

For firewalld on CentOS:

sudo yum install firewalld
  1. Add rules to allow SSH before enabling the firewall to prevent being locked out:

For ufw on Debian/Ubuntu:

sudo ufw allow OpenSSH

For firewalld on CentOS:

sudo firewall-cmd --permanent --add-service=ssh
  1. Enable the firewall and set default rules:

For ufw on Debian/Ubuntu:

sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

For firewalld on CentOS:

sudo systemctl start firewalld
sudo systemctl enable firewalld
  1. Reload the firewall for the changes to take effect.

For ufw on Debian/Ubuntu:

sudo ufw reload

For firewalld on CentOS:

sudo systemctl reload firewalld

Disable Root Login

Securing your Linux VPS involves restricting root access. Here's how to disable root login for enhanced security:

  1. Create a New User: Log in to your VPS as the root user. Then create a new user account with sudo privileges. Replace newuserwith your desired username:
adduser newuser
usermod -aG sudo newuser
  1. Create the .ssh Directory, authorized_keys and set permissions for the New User:
mkdir -p /home/newuser/.ssh
touch /home/newuser/.ssh/authorized_keys
chmod 600 /home/newuser/.ssh/authorized_keys
chown -R newuser:newuser /home/newuser/.ssh

  1. Make sure to generate and copy the public key to your VPS.

  2. Log in as the New User.

  3. Disconnect from the VPS (if you're connected as root) and log back in using the new user account. This ensures you can perform administrative tasks using sudo.

  4. Edit SSH Configuration:

Open the SSH server configuration file on your VPS. This file is usually located at /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Locate the line that reads PermitRootLogin and set it to no:

PermitRootLogin no

Save the file and exit the text editor.

  1. Restart SSH Service:

After making this change, you should restart the SSH service for the new settings to take effect:

On Debian/Ubuntu:

sudo systemctl restart ssh

On CentOS:

sudo systemctl restart sshd

Harden SSH Configuration

Securing your Linux VPS involves further hardening the SSH configuration for added security and ensuring that UFW rules are up to date. Here's how to harden your SSH settings and update the UFW rules:

  1. Allow the New SSH Port in UFW:

If you're using UFW (Uncomplicated Firewall), first allow the new SSH port before making changes to the default port:

# Allow the new SSH port (e.g., 2222)
sudo ufw allow 2222/tcp
  1. Remove OpenSSH from UFW Rules:

After changing the SSH port, you should remove the old OpenSSH service (default port 22) from the UFW rules to ensure that only the new SSH port is allowed:

# Remove the old OpenSSH service (default port 22)
sudo ufw delete allow OpenSSH
  1. Change the SSH Port:

By default, SSH uses port 22. Changing the default port can add an extra layer of security by making it harder for automated bots to find your SSH server.

Open the SSH server configuration file:

sudo nano /etc/ssh/sshd_config

Find the line that reads Port 22 and change the port number to a different, unused port, for example, 2222:

Port 2222
  1. Enable Key Reauthentication:

You can set a time limit for key reauthentication to further secure your SSH session. This means that if you leave your SSH session unattended, it will automatically expire after a certain time.

Add or modify the following lines in the SSH server configuration file, then save it:

ClientAliveInterval 300
ClientAliveCountMax 2
  1. Reload UFW Rules and SSH Service:
sudo ufw reload
sudo systemctl restart ssh
  1. Once you've made the necessary changes, you can establish a new SSH connection using the following command:
ssh -p <new_port> user@your_server_ip

Implement Fail2Ban

Securing your Linux VPS involves protecting it from brute-force login attempts and other types of malicious activity. Fail2Ban is a useful tool for this purpose. Here's how to implement Fail2Ban:

  1. Install Fail2Ban:

Start by updating your package list to ensure you have the latest available packages:

For Debian-based systems (e.g., Ubuntu):

sudo apt update

For CentOS:

sudo yum update

Install Fail2Ban:

For Debian-based systems:

sudo apt install fail2ban

For CentOS:

sudo yum install fail2ban
  1. Configure Fail2Ban:

Fail2Ban's main configuration file is located at /etc/fail2ban/jail.conf. You can create an override file at /etc/fail2ban/jail.local to customize settings without modifying the default configuration. Open this file:

sudo nano /etc/fail2ban/jail.local

Add the following configuration to ban IP addresses for 10 minutes (600 seconds) after six failed login attempts. Adjust the parameters as needed:

[sshd]
enabled = true
maxretry = 6
findtime = 600
bantime = 600

Save the file and exit the text editor.

  1. Start and Enable Fail2Ban:

Start Fail2Ban and enable it to start at boot:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban
  1. Check Fail2Ban Status:

You can check the status of Fail2Ban to ensure it's working as expected:

sudo fail2ban-client status

You should see that it's monitoring the SSH service.

The 6 essential methods discussed here provide a robust defense against potential vulnerabilities. By keeping your system updated, employing strong authentication, configuring firewalls, hardening SSH, and implementing Fail2Ban, you fortify your VPS and maintain peace of mind in the ever-connected world. If you have any questions, don’t hesitate to contact our support team by submitting a ticket.

cloudzy
© 2008-2024 Cloudzy. All rights reserved.
75 Reviews|4.9 Average
Buy VPS with American Express
Buy VPS with Visa Card
Buy VPS with Discover
Buy VPS with Master Card
Buy VPS with Paypal
Buy VPS with Bitcoin
Buy VPS with Ethereum
Buy VPS with Binance
Buy VPS with Tether
Buy VPS with Ripple
Buy VPS via CoinPayments