When you bought new virtual private server (VPS) most providers give machines with remotely root access by SSH protocol, and it’s not safe.
This article provide some tips for help you increase VPS server’s security. Let’s start setting up.
First of all connect to your new server:
ssh root@your_servers_ip
Note: provider should send SSH credentials for the new VPS server via email.
Create new user with “adduser” command:
adduser user
System open interactive shell and will offer you to set some data:
root@your_servers_id:~# adduser user
Adding user `user' ...
Adding new group `user' (1000) ...
Adding new user `user' (1000) with group `user' ...
Creating home directory `/home/user' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for user
Enter the new value, or press ENTER for the default
Full Name []: My User
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
Note: you may leave blank first five lines and just press “Enter”. But latest line need confirmation.
Now add new user in sudoers for running commands as root:
usermod -aG sudo user
If your machine haven’t “sudo” utility, you need to install it:
apt update && apt install sudo -y
Logout and login with newly created user:
ssh user@your_servers_ip
Now remove root user’s password:
sudo passwd -d root
Disable root user’s login by SSH. Edit /etc/ssh/sshd_config
file, find and set PermitRootLogin
value to no
:
PermitRootLogin no
After making changes restart sshd service:
sudo systemctl restart sshd.service
Disable ipv6. Add in bottom of /etc/sysctl.conf
file following lines:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
Apply changes without restarting system:
sudo sysctl -p
Install UFW utility for manage network access:
sudo apt install ufw -y
Add UFW rules for OpenSSH service to restricting access to your server:
sudo ufw allow from X.X.X.X to any port 22
Where X.X.X.X is your router’s external address.
Enable UFW for autorun (when system started):
sudo ufw enable