This is an overview of how to setup your Ubuntu virtual private server.
Accessing Your VPS
After creating a VPS instance (e.g. DigitalOcean droplet or Linode linode), you will be provided an IP address as well as login password. Use the credentials to log into the server.
ssh root@SERVER_IP_ADDRESS
Tips regarding authentication (explained further in SSH Lockdown below)
- SSH login via root should be disabled
- Only use ssh key authentication
- Use a non-common port for ssh
Managing Users
By default, only one user exists: root - a superuser
Creating a new user
Create a new user to avoid using root and it's elevated privileges. While creating a new user, several questions will be asked. You can add additional information about the user but note that only the password is essential.( Press ENTER to skip the rest)
adduser demouser
# you can now give the user access to root privileges (sudo)
gpasswd -a demouser sudo
Confirm that you can login as this new user before proceeding.
ssh newuser@SERVER_IP
sudo su - # try to access root as user
SSH Lockdown
Disabling root login
Before disabling root login, ensure that you've created a user that can SSH to the server (as explained in User Management above).
The user can use the su
command to become root (will need root password), or if the user has sudo they can just sudo su -
to access root.
Edit /etc/ssh/sshd_config
and turn PermitRootLogin to no. Use a different editor if new to vi (ZZ to exit).
Before doing this, ensure that you can login with another (non-root) user account (see User Management above).
sudo vi /etc/ssh/sshd_config
# Change the following line
PermitRootLogin yes
# to
PermitRootLogin no
Restart ssh service for this change to effect.
sudo service sshd restart
SSH Key-Based Authentication
You can now setup public key authentication (recommended). This will enable you to securely login to the server without having to enter your password.
Read how to do thisI would also recommend using a non-common port for SSH. Read how to do this
Update Server
- Update server software:
sudo apt-get update && sudo apt-get upgrade -y
- Set desired server hostname: As superuser, edit the files
/etc/hostname
and/etc/hosts
. To update without a restart restart, run this:systemctl restart systemd-logind.service
- Update the timezone, to your desired timezone. Use
dpkg-reconfigure tzdata
Add Swap
Check if swap is already enabled on the server, if enabled, the swap partition will be listed.
sudo swapon -s
# alternatively
free -g
# shows free (and used) physical & swap memory (-g = in gb)
If swap is not enabled, check the amount disk space you have available.
df -h
Create swapfile (usu 2x or 1x your RAM)
# Fast Method (fallocate e.g creating 1gb swap)
sudo fallocate -l 1G /swapfile
# Slow method (e.g creating 4gb swap)
### sudo dd if=/dev/zero of=/swapfile bs=1G count=4
Verify space has been allocated
ls -lh /swapfile
Enable Swap
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
#verify it's enabled
sudo swapon -s
Enable Swap on Reboot/ Start: Edit fstab (/etc/fstab
), and add the swap filesystem.
sudo vi /etc/fstab
# Add this line to /etc/fstab
/swapfile none swap sw 0 0
If you are working on a RAM intensive app, e.g Java, consider reducing swappiness and inode cache rate. Read how to do that
Configuring a Firewall
UFW (uncomplicated firewall) is a tool that simplifies configuring of iptables
to secure your server. It is an easy to use firewall.
Install ufw (most likely already installed)
sudo apt-get install ufw
Enable IPv6: Edit /etc/default/ufw
and set IPv6=yes
sudo vi /etc/default/ufw
# set
IPv6=yes
Check ufw status and rules (will be inactive if not yet enabled).
sudo ufw status verbose
Setup default firewall policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow common connections only allow what you use
Allowing SSH connection (default ssh port 22)
sudo ufw allow ssh
# same as: sudo ufw allow 22/tcp
If you are using different port for SSH (see SSH Lockdown: custom port above), then allow that instead of port 22
sudo ufw allow 2222/tcp
Allow HTTP and HTTPS
sudo ufw allow http
sudo ufw allow https
# the above two commands are the same as
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Allow SMTP - if sending out mail directly using SMTP
sudo ufw allow 25/tcp
Check all added exceptions (allowed connections)
sudo ufw show added
Enable UFW: Also useful when reloading to update configuration
sudo ufw disable
sudo ufw enable
Reset UFW
In case of errors during configuration, you can reset ufw
with the following command
sudo ufw reset
UFW and docker: Docker usually manipulates iptables
rules meaning that the ufw restrictions will not apply.
Read how to fix that
Intrusion Prevention with Fail2ban
Fail2ban is an open source intrusion prevention software that scans log files and bans IPs with malicious behaviour such as too many invalid login attempts or automated attacks. It primarily focusses on SSH attacks but can be configured to work with other services (e.g Apache, SMTP, FTP) based on their logs.
Install fail2ban
sudo apt-get update
sudo apt-get install fail2ban
Configuring Fail2ban
Fail2ban configuration files are located at the /etc/fail2ban/
directory.
- The fail2ban configuration profile
/etc/fail2ban/fail2ban.conf
: this contains settings for fail2ban itself (eg logging level, pid and socket locations). - Fail2ban defail jail configuration:
/etc/fail2ban/jail.conf
: contains declarations for jails (filters and actions), this is usually what you want to customize.
In order to customize fail2ban configs, create .local files at /etc/fail2ban
containing your desired configuration settings. Settings in .local will override settings in .conf files.
Therefore:
copy
fail2ban.conf
tofail2ban.local
(optional)copy
jail.conf
tojail.local
(usu what you'll want to customize)then make changes to the .local files as desired.
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
To make changes to fail2ban's general settings, update the fail2ban.local
file.
See examples of how to do this
Customizing fail2ban
Fail2ban is mainly configured using "jails". A jail is a declaration of filters and actions that fail2ban will follow when protecting services
Customizing fail2ban involves editing the jail.local
file.
While Fail2ban helps reduce rate of invalid logins, it does not eliminate the risk of weak password authentication. I'd recommend using public key authentication (described in SSH Lockdown above).