Updated by l'équipe PulseHeberg
The vast majority of our Linux servers (VPS or Dedicated Servers) are delivered "naked", that is, with a configuration very similar to what you would have had if you had installed the OS by yourself.
This basic configuration does not include any elements to ensure the security of the server. It is therefore strongly recommended to follow these few small rules to reinforce the security of your VPS.
This article will voluntarily focus on protecting the root access of your VPS (which is the most vulnerable to its delivery, and most often attacked). Other aspects of the security of your VPS can also be explored (setting up a firewall, regular OS updates, regular log analysis, backup, etc).
1/ Enforce your root password
During delivery, if you did not define it yourself, your VPS is created with a random 6-character root password, to make it easier for you to access your VPS for the first time. This password, although random, is very weak (less than one hour of brute force is required to access your VPS). It is therefore imperative that you change it to another password, much longer.
Under the vast majority of Linux OSes, only one command (as root) is needed: "passwd root".
root@HelpDesk:~# passwd root
Enter new UNIX password:
Retype new UNIX password:
The utility will ask you to enter the new root password you want to set up twice. When you type these passwords, nothing appears on the screen: This is normal. Linux, unlike Windows, does not display stars or characters when a password is entered in the terminal.
2/ Preventing BruteForce attacks
IP addresses of servers are very regularly the target of attacks by Brute Force. Even though usually a strong password is unbreakable (it would take centuries), setting up protection against BruteForce is very simple and only takes a few minutes and will further protect your VPS.
The basic protection against these attacks is provided using the "fail2ban" packet, which is able to monitor the logs of very many services of your VPS, and temporarily block IPs that appear regularly in these logs.
This packet is simply installed with the command "apt install fail2ban".
root@HelpDesk:~# apt install fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
fail2ban python3-pyinotify python3-systemd whois
0 upgraded, 4 newly installed, 0 to remove and 64 not upgraded.
Need to get 424 kB of archives.
After this operation, 1967 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Once fail2ban is installed, all you have to do is configure it using the following command:
root@HelpDesk:~# printf "[ssh] \nenabled = true \nport = ssh \nfilter = sshd \naction = iptables[name=SSH, port=ssh, protocol=tcp] \nlogpath = /var/log/auth.log \nmaxretry = 3 \nbantime = 900\n" > /etc/fail2ban/jail.d/ssh.conf
This will automatically create the file "/etc/fail2ban/jail.d/ssh.conf", with the following content
enabled = true
port = ssh
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = 3
bantime = 900
This file is used to specify the location where the SSH service logs are located (/var/log/auth.log) by default, the number of attempts (maxretry=3) that an IP is allowed to perform within the detection time (10 minutes by default), and the duration of banning this IP from the server (bantime = 900 → 15 minutes)
All you have to do is restart the fail2ban service with the following command, and your brute-force protection will be active.
root@HelpDesk:~# service fail2ban restart
3/ Change the default SSH port
Changing the listening port of your SSH server will not protect you from targeted attack attempts (it is very easy for someone to find out on which port your SSH server is actually listening), but it will allow you to avoid attacks from bots/robots that crawl through the IPs of servers, looking for servers that are easy to hack.
To make this modification, you just have to modify the file /etc/ssh/sshd_config, and replace the line "Port 22", by "Port 8822". You can of course replace 8822 by any other port number that is not used on your server. Also check that there is no "#" in front of this line. If a # is present, remove it, otherwise this line will be ignored.
Then you just have to restart your ssh service via the command
root@HelpDesk:~# service ssh restart