Securing your VPS

What are you doing to secure your VPS?

«1

Comments

  • ehabehab Content Writer

    firewall.

    poweroff when not in use.

    Thanked by (1)localhost
  • cybertechcybertech OGBenchmark King

    Custom SSH port
    Firewall

    Put TSA lock on server

    I bench YABS 24/7/365 unless it's a leap year.

  • Limit access to sensitive areas to local IP range only

  • Only open the ports needed on the firewall
    Create admin/sudo user
    Custom SSH port
    Keys only authentication
    Disable root login
    Setup Fail2ban

  • +1 for public keys ONLY in SSH (ChallengeResponseAuthentication no, PasswordAuthentication no, UsePAM yes)

    Before firewalling ss -plnt ss -plnu

    Generally if you're offering a publicly accessible service, e.g. webserver nameserver etc. you open up those ports in your firewall, then the firewall is left protecting you from access to all the 'other' ports.

    But really you shouldn't have 'other' services publicly accessible in the first place. Use ss -plnt ss -plnu (or netstat or similar) see what's listeneing on the public (or global) IP, and make sure you actually need those that are running. Disable those you don't (save memory too), and for those you do need, see if you can change the bind interface(s) to the loopback or any VPN interfaces only, via their respective configs.

    I'm sure many have Trump-ian levels of confidence in their firewalling skills, but mistakes do happen, firewalls do fail to initialise on boot, best to fail safe and leave the minimum attack surface.

  • Reduce OS attack surface, e.g. install Alpine. Close all ports with iptables, open only to IPs whitelisted in "KNOWN-IP" chain (automatically updated). At-rest partition encryption with dynamic key fetch on boot. Run inter-VPS traffic through private cloud. Containerize.

    Thanked by (2)ehab vimalware
  • The point of moving SSH to a custom port is more related to keeping the logs clean, as security through obscurity is not regarded as very good, no?

  • @Ouji said:
    The point of moving SSH to a custom port is more related to keeping the logs clean, as security through obscurity is not regarded as very good, no?

    No. I mean yes. I mean correct. A custom port is going to be found by port scanners eventually. I used f2b for years but in the end discontinued it for a few reasons. First, it is a bit of a memory hog on a super low-end VPS. Second, it loses the chains if you don't restart it after restarting iptables, which is a human error issue (I didn't always remember to do it). Third, I found it is more effective to whitelist allowed ssh IPs.

    @cochon said: But really you shouldn't have 'other' services publicly accessible in the first place.

    This is true. Typically I do my own minimal Alpine install from scratch and don't need to worry about switching anything off. For CentOS my setup script strips out any packages which are not in a whitelist.

    Thanked by (1)Anon
  • ehabehab Content Writer
    edited July 2020

    @tetech said:
    Typically I do my own minimal Alpine install from scratch ...

    i love love Alpine. Do you have some instructions how to build alpine.virt? i am interested to build this with iSCSI very much respect and appreciation. Thanks

  • @ehab said:

    @tetech said:
    Typically I do my own minimal Alpine install from scratch ...

    i love love Alpine. Do you have some instructions how to build alpine.virt? i am interested to build this with iSCSI very much respect and appreciation. Thanks

    I think you are more advanced than me because I am not sure what alpine.virt does. I do everything inside a lowend KVM VPS and hot convert it to Alpine.

  • ehabehab Content Writer

    @tetech if you look at the downloads there is a Virtual kernel. It is very small about 150MB after install. Its great for kvm's that don't require additional kernel packages. Yes, you can install docker, k3s etc ... but you'll need the full standard addition if you plan to use for example iSCSI.

    do you have time to try and build the virtual kernel + iSCSI packages? i can offer $15 for a script or detail instructions how to build and output .iso file :) and maybe @AnthonySmith can provide the same if he see this can be a potential write up in wiki?

    what you think?

  • @tetech said:

    @ehab said:

    @tetech said:
    Typically I do my own minimal Alpine install from scratch ...

    i love love Alpine. Do you have some instructions how to build alpine.virt? i am interested to build this with iSCSI very much respect and appreciation. Thanks

    I think you are more advanced than me because I am not sure what alpine.virt does. I do everything inside a lowend KVM VPS and hot convert it to Alpine.

    How to "hot convert it to Alpine"?

  • ehabehab Content Writer

    my offer is open to anyone if tetech declines.

  • @ehab said:
    my offer is open to anyone if tetech declines.

    No time in the near future, so others please take it!

  • @ggkee said:

    @tetech said:

    @ehab said:

    @tetech said:
    Typically I do my own minimal Alpine install from scratch ...

    i love love Alpine. Do you have some instructions how to build alpine.virt? i am interested to build this with iSCSI very much respect and appreciation. Thanks

    I think you are more advanced than me because I am not sure what alpine.virt does. I do everything inside a lowend KVM VPS and hot convert it to Alpine.

    How to "hot convert it to Alpine"?

    Get apk-tools-static, mount spare partiton (e.g. swap), run apk.static to install alpine-base onto it, reboot to partition, reformat old partition and repeat process. Never had it fail yet. although Joyent images can be challenging.

    Thanked by (1)chimichurri
  • @tetech said: Third, I found it is more effective to whitelist allowed ssh IPs.

    That's my approach now. I am also experimenting with Wireguard, Zerotier and Tailscale for that. Just upgraded to OpenSSH8.3 so I can use my U2F key on my SSH keys.

  • I'm assuming most people create an additional user to admin their servers.

    What's your view on setting this user as passwordless for sudo?

  • ed25519 keys, fail2ban, ufw and different port of SSH

  • edited July 2020

    @beagle said:
    I'm assuming most people create an additional user to admin their servers.

    What's your view on setting this user as passwordless for sudo?

    Not an expert on security, but I prefer to have ssh login through keys only. The user itself can sudo through its password. This is like having two separate passwords. An attacker might get access to the ssh key, but then the password is still required. The user has nothing going on in the home folder.

    Thanked by (1)beagle
  • @beagle said:
    Only open the ports needed on the firewall
    Create admin/sudo user
    Custom SSH port
    Keys only authentication
    Disable root login
    Setup Fail2ban

    This except fail2ban, unless you're hosting Wordpress or similar (and in that case i'd suggest changing wp-admin into wp-my-admin)

  • XenicXenic OG
    edited July 2020

    i change the ssh port first. And then i deactivate the password login. Then i setup SSH Keys for more comfort and security. And then i block some Countries (Spam).
    Have a nice day :)

    Greetings from 🇩🇪 North Rhine-Westphalia, Xenic.

  • @beagle said:
    What's your view on setting this user as passwordless for sudo?

    For specific commands in sudoers maybe, for any command, like on a LiveCD NO. It requires too much self discipline in never leaving yourself logged in or a PC session unlocked.

    Thanked by (1)beagle
  • @cochon said:

    @beagle said:
    What's your view on setting this user as passwordless for sudo?

    For specific commands in sudoers maybe, for any command, like on a LiveCD NO. It requires too much self discipline in never leaving yourself logged in or a PC session unlocked.

    I always type exit in a session if I'm leaving, but I get where you come from.

    I've a little bash script to setup my VPS, but it is missing the fail2ban install. The script usually setups a new user, adds a SSH key to authorized_keys, change the timezone and disables root login and pwd auth. It also installs UFW. I just forked from someone else and changed some stuff for me.

    Currently I'm experimenting with U2F for 2FA and Krypton for 2FA as well. Just got my first yubikey, I'm gonna try U2F with resident keys to see how it goes.

  • edited July 2020

    I'm not good at it, but could someone explain why people install and setup UFW or any other firewall? What does it give? I mean if all the ports are open, how someone could hurt if he doesn't know the password of the VPS and don't know the keys? Let imagine I have no UFW, I have opened all the ports. How could someone harm me let's say using 25, 4140 and 4540 ports. For example?

  • @Anon said:
    I'm not good at it, but could someone explain why people install and setup UFW or any other firewall?

    You're always careful to lock your flat door when you go out, but one day you forget. It's comforting to know that the flat complex has a main door with a keypad entry keeping random people out from discovering your door is actually unlocked today.

    Thanked by (1)Anon
  • seanhoseanho OG
    edited July 2020

    Minimize the attack surface as much as possible. If Exim is listening on port 25 and has a CVE, or you haven't updated it in a while and your old version has a CVE, your VPS will be pwned within days, or sometimes within minutes.

    tcp/4140 is assigned to Cedros fraud detection; does anyone actually use that?

    Thanked by (1)Anon
  • Another weak analogy :
    you know that sound your flat key makes, as it scrapes across all your door surfaces as you stumble around in the dark hallway, trying to find the keyhole. Imagine doing it without the audio feedback : Packet DROP in a nutshell.

    Thanked by (1)Anon
  • Like it was said, you never know when something you are hosting has a vulnerability. Sometimes the CVE takes a while to appear and all that time you would be vulnerable.

  • I only allow ssh from allowed ip addresses via iptables
    I have a script that reverse looks up my dynamic ip

  • @Anon said:
    I'm not good at it, but could someone explain why people install and setup UFW or any other firewall? What does it give? I mean if all the ports are open, how someone could hurt if he doesn't know the password of the VPS and don't know the keys? Let imagine I have no UFW, I have opened all the ports. How could someone harm me let's say using 25, 4140 and 4540 ports. For example?

    You need to be sure that there are no applications listening on the ports. If you are no good at sysadmin stuff, I rather you setup a firewall. If something you need isn't working, you open the required port. Other stuff is automatically banned from receiving requests, including things that you may not be aware of.

    Thanked by (2)Ouji Anon

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

Sign In or Register to comment.