Harden your VPS Instance with these steps

    Follow

    INTRODUCTION

    Let's imagine you have already setup a SSH key based passwordless access to your VPS server. It is already much safer, compared to traditional password-based access, however still not secure enough. In a modern world there are a lot of already well-known methods of server-targeted attacks, and there are also some methods to make your SSH server more secure. Hardening is a specific term in IT world, that is usually related to reducing the attack surface of your system. I will describe a few easy to apply ways of hardening your SSH server. Statistics show, that if some service is hard to quickly hack with generic approach, unless you are a top priority target, attacker will prefer to move to another target. So even if you use your VPS server for your hobby, development project, personal web-site or anything else, probably not looking very valuable for an attack, you still better secure your ssh connection to save a lot of time in future in case of succesfull attack.

    PREREQUISITES

    1) Centos 7.4 VPS server

    2) Key based ssh access, if you have not done it yet. You can follow our guide to do so.

    3) Basic skills to edit linux config files and manipulate services

    CHANGE DEFAULT SSH PORT

    Change the default SSH access port.* By default ssh service is listening at port 22. Changing the default port makes a number of potential attacks much smaller, since attacker do not only have to attack your server with often automated software, but to find out the port, your SSH service listens on. Ports from 0 to 1023 are reserved for well-known ports, 1024 to 49151 are registered ports, 49152 to 65535 are dynamic/private/testing ports, so better choose the port either from the 1024 to 4951 region or from the region 49152 to 65535. Technically you can choose any port, but to avoid potential problems 49512 to 65535 is the best choice. Let's choose 49513 for example. Check if someone has already changed the port. Possibly not, if you have already accessed your VPS with a standard 22 port :)

    cat /etc/ssh/sshd_config |grep Port
    

    ssh1 As you can see, port string is commented. Let's change it by uncommenting the string and changing the port to 49513 ssh2Just in case, check that this port is not used by any other software by running

    ss -tulpn | grep LISTEN
    

    ssh3

    Restart your ssh service

    systemctl restart sshd
    

    Check status of service ( that it had restarted OK ), and check that your sshd service is now listening on a new port

     systemctl status sshd
    

    enter image description hereCareful! You ssh session will not be dropped immediately, but next time you will need to connect using a new port.

    DISABLE V1 PROTOCOL

    Disable v1 protocol for ssh service* SSH supports two versions of protocols: 1 and 2. 1 is much less secure and has many vulnerabilities. Let's force ssh to use only protocol v2. open/etc/ssh/sshd_configand add a string

    Protocol 2
    

    restart sshd service and check it's status

    systemctl restart sshd
    systemctl status sshd
    

    DISABLING ROOT LOGIN

    Disabling root login, and adding a specific user to access your server* By default VPS server has a root user, so by default you are logging in with a root permissions. It is better to create a specific user for ssh access, and only after accessing system with your specific user, switch to root Let's do it: Create user and password

    adduser vpsuser
    passwd vpsuser
    

    Do not forget that if you have properly setup your server password-based ssh access is already disabled. let's populate authorized keys for that user with a list of trusted keys, that you already have for root user ( and copied to newly created user ).

    mkdir -p /home/vpsuser/.ssh
    cat /root/.ssh/authorized_keys > /home/vpsuser/.ssh/authorized_keys
    chmod 0600 /home/vpsuser/.ssh
    chmod 0600 /home/vpsuser/.ssh/authorized_keys
    chown -R vpsuser:vpsuser /home/vpsuser/.ssh
    

    You can also follow the key creation tutorial from this guide and repeat it for your new user.

    Now try accessing your machine with that user and a key, that you have previously added for root user. So now, you can access the machine with a non-priveleged user, setup a sudo access for it. By default our sudo is configured to allow password-protected sudo access for users in group wheel. Add your user to wheel group

    usermod -a -G wheel vpsuser
    

    Now, relogin to vpsuser ( required to reread groups ) and try running

    sudo su -
    

    after password prompt you should be allowed to log in as root user ssh5Now you can disable root login for your VPS server. open/etc/ssh/sshd_configuncomment and#PermitRootLogin yesstring, and change it toPermitRootLogin nossh6restart sshd service. IMPORTANT: Carefully check that you can access VPS with your user, and that sudo works, prior to disabling root login and restarting sshd

    systemctl restart sshd
    

    You will immediately lose session and will have to relogin with that user, you have created, enabled key-based ssh access, and sudo priveleges.

    LIMIT USERS

    Limit the number of users, that can access your server:* Let's imagine you have a lot of different unpriveleged and priveleged users on you machine. In most cases, you want to be sure that only a certain number of users can access your machine. For example in our case you have decided, that only vpsuser, we have created before, will ever access our VPS through ssh. All other users, even created in future, will not be able to do it. Open/etc/ssh/sshd_configand addAllowUsers vpsuserstring to the config file. ssh7

    AllowUsers vpsuser vpsuser1 vpsuser2
    

    You can also limit access to a specific group, using

    AllowGroups group1 group2
    

    restart ssh service and check that it is running ok

    systemctl restart sshd
    systemctl status sshd
    

    ssh8

    CONCLUSION

    We completed a few steps that are fast and easy to implement, to not change the behaviour of your VPS much, but noticeably harden your setup. It is recommended to always make your ssh access secure, so that your VPS server is not hacked by some kid with a generic hacking software.

    Was this article helpful?
    0 out of 0 found this helpful

    Comments

    Powered by Zendesk