DevSecOps: The Ultimate VPS Security Guide
Secure your Linux VPS in the cloud with these essential practices. From SSH configuration to firewall setup, this guide covers the critical steps to fortify your server against threats.
1. Introduction to SSH
SSH (Secure Shell) is a cryptographic protocol for secure remote server management and file transfers. It’s the modern replacement for insecure protocols like Telnet.
Pro Tip💡: Use an SSH config file to manage multiple server connections efficiently.
Most OSes (Linux, macOS, Windows) include built-in SSH clients.
2. Connecting to Your VPS
Connect to your VPS using the root credentials and IP address provided by your host:
Ex:
ssh root@194.68.123.45
First Connection: Verify the server’s fingerprint to prevent man-in-the-middle attacks. SSH stores it locally for future validation.
3. Server Hygiene: System Updates
Regular updates are your first defense against vulnerabilities.
Refresh Package Repository:
sudo apt update
Red Hat/CentOS: sudo dnf check-update
Arch Linux: sudo pacman -Sy
Alpine: sudo apk update
Install Updates:
sudo apt upgrade -y
Omit -y for critical systems to review updates manually.
Check Reboot Needs:
cat /var/run/reboot-required
If present, schedule a graceful reboot:
sudo shutdown -r +5 "Server rebooting for updates in 5 minutes"
4. Principle of Least Privilege: Standard User
❌Avoid using the root user for daily tasks to reduce risks.
Create a User:
adduser nikhil
Set a strong, unique password.
Grant Admin Privileges:
usermod -aG sudo nikhil
Verify:
groups nikhil
Ensure sudo is listed.
Test Account:
ssh nikhil@194.68.123.45
sudo apt update
5. Passwordless Authentication: SSH Keys
SSH keys are more secure than passwords and resist brute force attacks.
⚠️ Critical: Test SSH key authentication before disabling passwords to avoid lockout.
1.Generate Key Pair (on your local machine):
ssh-keygen -t ed25519 -C "admin@mycompany.com"
For legacy systems:
ssh-keygen -t rsa -b 4096 -C "admin@mycompany.com"
2.Windows SSH Agent (if applicable):
Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent
3.Add Key to Agent:
ssh-add ~/.ssh/id_ed25519
4.Authorize Key on Server: Copy the public key:
cat ~/.ssh/id_ed25519.pub
On the server:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
nano ~/.ssh/authorized_keys
Paste the public key as a single line. Save and exit.
Alternative:
ssh-copy-id -i ~/.ssh/id_ed25519.pub nikhil@194.68.123.45
6. Disable Password Authentication
Eliminate password-based logins to prevent brute force attacks.
⚠️ Warning: Make sure to Confirm SSH key access works in a new terminal session.
1.Edit SSH Config:
sudo nano /etc/ssh/sshd_config
Set:
PasswordAuthentication no
2.Check Additional Configs (e.g., AWS, DigitalOcean, Linode):
sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf
sudo nano /etc/ssh/sshd_config.d/50-linode.conf
Ensure PasswordAuthentication no in all files.
3.Restart SSH:
sudo systemctl restart ssh
For CentOS: sudo systemctl restart sshd.
7. Disable Root Login
Prevent direct root access for added security.
1.Edit SSH Config:
sudo nano /etc/ssh/sshd_config
Set:
PermitRootLogin no
Alternative: PermitRootLogin without-password for key-based root access.
2.Restart SSH:
sudo systemctl restart ssh
8. Setting Up a Firewall
Use UFW (Uncomplicated Firewall) to control network traffic.
1.Install UFW (if not pre-installed):
sudo apt install ufw
2.Set Default Policies:
sudo ufw default deny incoming
sudo ufw default allow outgoing
3.Allow SSH:
sudo ufw allow OpenSSH
For custom ports:
sudo ufw allow 2222/tcp # Replace with your port
4.Enable Firewall:
sudo ufw enable
5.Allow Web Traffic (if hosting a website):
sudo ufw allow http
sudo ufw allow https
6.Verify Rules:
sudo ufw status
sudo ufw show added
🚀 Stay Secure!
Follow these steps to harden your VPS against threats. Always test configurations (especially SSH keys) before applying restrictive changes to avoid lockouts.
Thank you🙂
Top comments (0)