The first things i have to do after setting up my VPS is to harden it. We are live in the public cloud that do not know what will happen to your website, it is better to prevent before to late later. This is what i usually do when i first timer setting up my new VPS.
My VPS rigs:
- VPS at UpCloud
- Ubuntu 16.04 LTS
- Running Nginx and Ghost blog
First things to do after setting up vps:
- Harden your vps
- Change root password
Do not leave anything default. Change your root password with this command after login to your ssh console.
- Add new user
Configure anything with new user account beside root. It is bad practice if you configure or make change always using your root login.
I create new user named: newuser
$ adduser newuser $ groups newuser $ groups newuser sudo
Now our newuser is in sudo group, you can know configure and make changes to your server using this account.
- Install fail2ban
I have enough experience with leaving servers connected to the Internet to know that any IP address on the Internet will be found and scanned by hackers. They will often try to use a brute-force SSH attack to gain the password to the server. Fail2ban will block these attacks from happening.
- Change default ssh port
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local $ sudo service fail2ban restart $ sudo vi /etc/ssh/sshd_config port: 12345 $ sudo service ssh restart [ ok ] Restarting OpenBSD Secure Shell server: sshd.
- Disable Root SSH access
While we are on the subject of editing /etc/ssh/sshd_config, this is also where you would disable root SSH access. Find the line PermitRootLogin yes and change it to say PermitRootLogin no, save the file and restart SSH
- Install and Setup UFW
UFW is an easy to use Linux firewall. This will secure unused ports on your server. First, install it:
$ sudo apt-get install ufw
We can setup our firewall rules before actually activating the firewall. I always disable all ports by default and then add the ports I will need later.
$ sudo ufw default deny incoming $ sudo ufw default deny outgoing
To check application that recognize by ufw:
Available applications: Nginx Full Nginx HTTP Nginx HTTPS OpenSSH
This will allow port 12345 that we change to login using ssh
$ sudo ufw allow 12345/tcp
Make sure to always allow your SSH port first, it is not so fun if we cannot enter our VPS after we enable ufw.
Also, i want to allow port 80 for http access later for my website.
$ sudo ufw allow 80/tcp
And I want to allow some outgoing ports. Those include ports which the server might need for things like DNS and git. If you do not unblock certain outgoing ports then apt-get updates or installs might not work for example.
$ sudo ufw allow out 53,80,443/tcp $ sudo ufw allow out 53,80,443/udp
If your already allow any port rule that you need later, then you have to enable UFW
$ sudo ufw enable
You can checking over your UFW rules by typing sudo ufw status verbose.
My log looks like this:
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), deny (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 80/tcp (Nginx HTTP) ALLOW IN Anywhere 2288/tcp ALLOW IN Anywhere 80,443/tcp (Nginx Full) ALLOW IN Anywhere 80 ALLOW IN Anywhere 443 ALLOW IN Anywhere 80/tcp (Nginx HTTP (v6)) ALLOW IN Anywhere (v6) 2288/tcp (v6) ALLOW IN Anywhere (v6) 80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6) 80 (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6) 53,80,443/tcp ALLOW OUT Anywhere 53,80,443/udp ALLOW OUT Anywhere 53,80,443/tcp (v6) ALLOW OUT Anywhere (v6) 53,80,443/udp (v6) ALLOW OUT Anywhere (v6)
Things seem to be working fine so far, but remember, if you ever come across a weird issue where some program is not working or having trouble connecting to the Internet, it might be a port that needs to be enabled in your firewall.
- Automatic security updates
This process will automatically check and updates your security patch regarding your server:
$ sudo apt-get install unattended-upgrades apt-listchanges
To activate the updates I simply type, and follow the popup to proceed the configuration.
$ sudo dpkg-reconfigure -plow unattended-upgrades
That's it, if you any question do not hesitate to ask me.