Serie: Sharedhosting to VPS. Create date: 27-08-2017

The first thing I want to do with my new VPS is installing updates and adding some security. In this blog I’m going to document all the steps I take. As with every blog, please let me know if there are things that I can do better.

How to connect to a Linux VPS?

First test if I can connect to my new VPS through SSH, I always use Putty for all my Linux servers.

My initial Putty changes:

  • IP Address
  • Name under "Saved Sessions"
  • Auto-login username (root) in connection data menu
  • Lines of scrollback (20000) in Window menu

For now I going to keep the default port 22 but I’m going to change this later to something else. I always need to remind myself to not forgetting to save my changes in Putty.

I also use mRemoteNG which uses Putty. The primary reason I use this tool is to open multiple connections in tabs. I use KeePass to store my passwords with the “KeePassHttp-Connector” Google Chrome extension for easy logins.

Update VPS

After successfully logging in I see that there are 102 packages that can be updated and that a reboot is required.

So let's start with executing some commands to update my VPS:

apt-get update
apt-get upgrade
reboot

After logging in to my VPS again I see that there are more/new updates to install, so I execute the commands another time. Use the upward arrow on your keyboard or CTRL + R to easily repeat commands. These are the things that make working on the command line so fun. Also love the small things like tab to auto complete commands (double tab to see a list with all the matching commands).

Hmmmm after rebooting again I still get a message that there are packages to update. After searching on Google I found this solution:

sudo apt-get update && sudo apt-get dist-upgrade

Security: Fail2Ban

The first security measurement I’m going to take is installing Fail2Ban. From their site:

Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.

I used this (Dutch) manual to install Fail2ban.

In this article they use the “vi” program but I’m a fake nerd and prefer “nano” for text editing (reboot is not needed after installing this package).

apt-get install nano
nano /etc/fail2ban/jail.local

You can easily track down your own public IP with this website and add it after the localhost IP.

Security: change SSH port (and firewall)

Another recommended change is using a different SSH port than the default port 22. Although this isn’t really a security measurement because it’s possible to detect open ports with port scan software it does keep your logs less polluted.

After changing the port I couldn’t log in to my VPS anymore haha. As mentioned earlier I’m very inexperienced in this field but running into problems like this gives me more experience.

I used the following commands before locking myself out:

nano /etc/ssh/sshd_config
/etc/init.d/ssh restart
reboot

After changing the port in Putty I found out that I couldn’t log in anymore. Luckily my hosting provider has a portal which allows you to access your VPS so this was my salvation.

It turned out that I forgot to open the SSH port in my firewall, sounds logical but I hadn't thought of it. But before I’m going to change my firewall I want to be able to log in again with Putty so I changed the port back to 22.

After changing my firewall I learned something new again. Apparently the firewall changes are gone after a reboot, I assumed that saving firewall changes would be something permanent. As I found out earlier the firewall settings are very important for being able to login, so a bit strange that this does not work as expected.

After some searching on the internet, contact with colleagues and trying out different things I found out that I can use this tool for permanently saving my firewall changes:

apt-get install iptables-persistent

Another advice I read was using a port above 1000 to minimalize the chance of interfering with another program. Not sure if this is true, you would assume that there are other ways to find out which ports are free but I don’t want to do more research on this topic so I choose port 1234. I used this command to open the SSH port:

iptables -I INPUT -p tcp --dport 1234 -j ACCEPT

You can see the firewall with this command:

iptables -L

To save the firewall changes I used the following commands. Check if the firewall rule still exists after the reboot:

netfilter-persistent save
netfilter-persistent reload
reboot
iptables -L

Now we can change the SSH port again to 1234 in /etc/ssh/sshd_config. Restart SSH (see earlier) and log off and hope I can get back in. After changing the port in Putty I could still log in jeehh. Also check if logging in with port 22 no longer works and that you can still log in after a reboot.

Security: root user

The root user is super powerful therefore it is recommended to create a second user.

adduser mynewuser

Test if you can login with this user and don’t forget to save the credentials in KeePass. But to make this user viable we need to give it more permissions. Of course this is something that the root user needs to do:

usermod -aG sudo mynewuser

Now I also want to prevent the root user from logging into the VPS. This is another small change to make the VPS a bit more save. From this moment on I’m only using the new user. Change the SSH config like this (protocol 2 is safer than 1):

sudo nano /etc/ssh/sshd_config
PermitRootLogin no
Protocol 2

Save the file and restart:

sudo /etc/init.d/ssh restart

Sign out and test if the root user can no longer sign in.

Security: Public Key Authentication

This is an even better way to protect the VPS which I definitely want but this is something I’m going to set up in a different blog.

Sources
How to secure SSH on Ubuntu 16