Recently I’ve been setting up a number of simple VPS servers on Amazon AWS and Digital Ocean, and I’ve wanted to make sure that they have a minimum level of protecion against common attacks and vulnerabilities. This is the guide I’ve put together to harden a newly created Ubuntu server.
Always make sure that you update the OS to patch any recently fixed vulnerabilities:
Ideally you want to setup your root user access with an ssh key. Different VPS hosts handle this differently and have slightly different sshd_config settings. We want to disable root access as soon as possible but to do that we need to create a new user we can use first.
Next we will grant this user sudo privelages.
Next we want to lock down ssh passwordAuthentication but first we need to make sure our new user has an ssh key.
Once we know we will be able to login with our new user’s ssh key we can disable root and password authentication. While we’re there we’ll also change the default ssh port.
Then we will make three changes to the file, so you will want to find and modify the following to:
In order for those changes to take affect we need to restart ssh:
UFW is a simple firewall we can setup to block incoming traffic except for the ports we specifically need open.
Block all incoming traffic:
Since UFW hasn’t been configured yet this will block all incoming traffic. Now we need to make sure we open our new ssh port:
You can now optionally open any additional ports you may need:
Once you are satisfied make sure you enable UFW
If you want to check that the firewall is configured properly:
Finally if you want to double check that the ports are in fact closed/opened you can verify with iptables:
Ideally this is also where we would setup fail2ban, a popular tool used to ban ip addresses that incorrectly attempt ssh logins for a period of time. Expect an update with that coming soon.