Summary
In this tutorial we review the steps required for securing a newly provisioned VPS instances. Will look at setting up non root users, SSH configs, setting up a firewall, etc.
Newly provisioned VPS
After provisioning a new VPS on the could hosting platform, usually you will get an external IP address and the root account access to the instance.
Some hosting companies also allow public key uploads during the instance provisioning, others don't. We will enable public key SSH auth as part of setup.
First, login to your new VPS server as root user.
Setup new user
Next, we will create a non root user.
Having non root user on your server with rights to sudo is considered a good security practice for long running VPS servers. Specially on production environments.
# create a new user. choose password during creation
adduser appuser
# add newly created user to sudo groups
usermod --append -groups sudo appuser
# assume the new user role
su appuser
# create the authorized_keys file within users home
# directory and paste the public SSH key for the
# newly created user. so he can SSH without password
# as we will disable password login later.
# generate / reuse existing public / private key pair
# on your local machine.
mkdir ~/.ssh
touch ~.ss/authorized_keys # and paste the public key in it
# go back to root
exit
# last step - disable the password challenge when new user
# is using sudo commands. decide if this is required for your
# setup - it will be more flexible but less secure.
# we would recommend to leave password on for production
# environments. visudo utility has to be used. it will open
# the /etc/sudoers config file.
# repeat: you must use visudo as root
visudo
# add below as a last line in the file
# hit the "write out" to save
appuser ALL=(ALL) NOPASSWD: ALL
# now you can test SSH login from a different terminal shell
# with a newly created user and it should work without password
# if you uploaded public keys correctly in previous step.
ssh appuser@vps_ip_address
# test if the sudo also works without password
sudo -nYou now have a new user setup on your VPS.
Disable a root user
It is good practice to lockout a root user on your VPS. Only run this step if you have already created the new user with the steps above.
sudo usermod root --shell /sbin/nologin
sudo passwd --lock root
# if required in the future you can use the following
# command to get into root shell
# sudo -sSSH setup
SSH or Secure Shell is what we use to access VPS. We configure it next.
# open /etc/ssh/sshd_config with you txt editor
sudo vi /etc/ssh/sshd_config
# the below options will disable root access,
# remove X11 forwarding, use version 2 of protocol
# paste all below at the bottom of config file
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
KbdInteractiveAuthentication no
X11Forwarding no
# save file and restart ssh service
sudo systemctl restart sshFirewall setup
We will install and use UFW package to setup simple firewall for outgoing ports.
sudo apt install ufw
# deny all incoming ports
sudo ufw default deny incoming
# allow all outgoing connections
sudo ufw default allow outgoing
# allow port 22 for ssh (and any other ports like 80,443)
sudo ufw allow 22
# enable firewall
sudo ufw enable
# check the current firewall status
sudo ufw status verbose
# check the UFW logs
sudo ufw logging on
sudo ls /var/log/ufw*Your VPS is now only accessible on the ports specified by UFW status command.
Fail2Ban
As last step, we will enable rogue login bans. Fail2Ban is a popular utility which auto scans logs and bans IP addresses for multiple failed login attempts. Its a simple yet very effective tool.
# install
sudo apt install fail2ban rsyslog -y
# create the fail2ban configuration file
sudo vi /etc/fail2ban/jail.local
# add the following settings. change
# any of them if needed.
[DEFAULT]
bantime = 1d
findtime = 15m
maxretry = 3
backend = auto
[sshd]
port = 22
# restart the fail2ban service
sudo systemctl restart fail2ban.service
# see the fail2ban logs
sudo vi /var/log/fail2ban.logConclusion
All above steps will help harden and secure your new VPS servers. Some of the steps were influenced by this great walkthrough.
You can combine the steps to the Shell script and automate as part of your VPS provisioning flow. If you have comments, suggestions or want to share your setup - use the comments section below.