You’ve just ordered your new HostDoc VPS, you’re wondering where to go from here. You’ve come to the right place!
In this tutorial, we will be going through a couple of basic security hardening steps. These are just a few things that you can do, security is a game of cat and mouse, so there’s never going to be a completely secure system.
Following this guide will go a long way toward securing your VPS
Creating a new user
The first and most basic thing we can do is to create a new user that will become our main account to use. The benefit of this is that the username isn’t root, therefore it’s one thing that an attacker wouldn’t know immediately. The most common attacks come to the root user, so having a different name is a great help.
In this example, we will call our new user “secretnewuser” - I suggest using your own secret user name.
root@tutorial:~# adduser secretnewuser
It will ask you to enter a new password, this is the perfect opportunity to show you how to set a strong password
Setting a strong password
The best password is one that is as random as possible, not containing any words found in the dictionary, not easy to guess. My preferred method is to use a random password generator like this one. Each time you visit or refresh that page it will generate a new password.
Once you’ve put the password in, just fill in the details, or just keep pressing enter.
Before we continue, it’s a good idea to give the root user a new strong password. Generate a new password from this page and use it below.
We’ve just given the root user a strong password, nice!
Giving that new user ‘sudo’ access
Now that we have our new user, in this case called “secretnewuser” we need to give it sudo access. Because I know you didn’t just use the same username, replace secretnewuser with your chosen username.
root@tutorial:~# usermod -aG sudo secretnewuser
Disabling root login with SSH
Because logging in as a root user with SSH is generally not a secure thing to do, we are going to disable the ability to SSH into your VPS as the root user. After we do this, you’ll need to log in with your secret new user and start using sudo.
We’re going to use an editor called nano, because it’s very easy to use. If you prefer your own editor, use that instead.
root@tutorial:~# nano /etc/ssh/sshd_config
Find the line that says and change it so that it says
Changing default SSH port
Now is a good time to change the default SSH port from 22 to something else. Here I will use 12922 from now on, please choose your own.
In the /etc/ssh/sshd_config file, find the line that says and change it to your chosen port, in my example it will be
Now that we’ve changed that, we need to restart the ssh server. Note that this will prevent you logging in as root anymore! (Which is great!)
root@tutorial:~# systemctl restart sshd.service
Log out now.
Log in as your new user, on your new port (don’t forget that!)
Setting up a firewall
From this point forward, we’ll be using sudo because we’re logged in as our new user.
We’re going to use a tool called ufw, which is a firewall. If it’s not installed, you can do that first with either apt or yum, depending on your distro. I use ubuntu, so…
secretnewuser@tutorial:~$ sudo apt install ufw
We are going to by default block all incoming ports except for the new SSH port, which in my example is 12922.
secretnewuser@tutorial:~$ sudo ufw default deny incoming secretnewuser@tutorial:~$ sudo ufw default allow outgoing secretnewuser@tutorial:~$ sudo ufw allow 19222 secretnewuser@tutorial:~$ sudo ufw enable
Now your system is very secure. Don’t forget you can add other ports later, for example 80 and 443 if you plan to use a web server.
Protecting against brute force password attacks
The final thing we’ll do here is simple, we’re going to install a tool called ‘fail2ban’ which scans logs and if it notices too many failed attempts to sign in, will temporarily ban an IP address to prevent them guessing your password. I’m using ubuntu so…
secretnewuser@tutorial:~$ sudo apt install fail2ban
And we’re done! Your linux VPS is now very secure, but it doesn’t end here. There are many other things you can do including using SSH keys, disabling password logins altogether and much much more. Since this is a basic security setup, they are out of scope for this guide.
I hope this was easy to follow, as always, please leave feedback