Linux VPS Hardening

Initializing a secure environment

Planting Seeds

Administration of a virtual private Linux server (VPS) without a GUI cpanel is the only way to go. Going through any graphical user interface (GUI) to run critical services for your company is like playing the telephone game. Securing our environment begins at the terminal & from terminal experience we create a deeper learning experience for ourselves and build confidence along the way.

This article will extrapolate on initializing a Ubuntu Linux VPS for the first time and how we secure our environment through the terminal. No Windows or MacOS pancakes here; only Linux. When beginning a new server or garden, the soil is most important; we create an environment to protect and maximize growth potential. The VPS provider may give you an OS they installed, but I always create a fresh install myself.

Logging in via SSH

Creating RSA Public Key 

Before you are able to login with SSH, you will most likely have to generate and add a RSA public key.

ssh-keygen -t rsa -b 4096 

Copy / Paste Public Key

After key is generated, we display the public key and add it to VPS account. Optionally, you may have to add the key with ssh-copy-id [email protected]_address.

cat ~/.ssh/id_rsa.pub
ssh-rsa AAAEXAMPLECAQDBn0Z88lqrtya0Nd7yYtP/1o90vwVxjvCm/txb+SW85JRRnrI616d2iWwtVCSiUX0s59FfIPxUJl6vPqmxY40DIrX9KZijVpaq/TzWXh2ktCTjT6uBNMBRz/2lxP3w2AZov65dygjW5eQT9K9YB13dr1B4RkQMmUW5xiFbdHM0WzBYM2CMtE+lnmebn7m+B3DcvNkuGdT9Qw1/J24dTuNJSzJXVxzTOTlnVKOVSp1NWzu0USFI6dkrz8YImSgP9hQX970zTnzQ1Ctei4xlR/IiCpVGG6zWeV4oT3sLf4E9mk9eYF/wU0AdA3mQ68yZvv+Bhlc75e9kmUFe+JbctKR4YaKGY6K6K/F1tHrKYkASEkfQQ0KJU/ez/wtSf21A6Z2bM/Gg28f/6owfIMPWnYuB9VOLqkdIHFUot40uMi9CBvkdwH69zAQfz4jFvmu588klE0usBclGAFs78KM6YWaXHYjHdWVRIUrAqdZw1IP0uYS3uSBUPsbBG/Aq0V+22dg8U5DSu5XmwLB5jT+3c4ScqH3kY5tomRLe+2Dx4K+mAHpgtf10xL6Ayx2y0GFZCf+LB1Va3Trk3ChcaKRF5KvyayFQNSY4AfA47B90asdv== [email protected] 

SSH into VPS

Next, we login to our VPS and specify -i what key to use. The -i is only needed if you have more than one key. The -v displays verbose or details of what the command is doing in the terminal.

ssh -i ~/.ssh/id_rsa [email protected]

Success! Now, we are able to update and upgrade our packages.

Prepping Linux Environment

Update Sources & Packages

apt-get update && apt-get upgrade

Disable Ubuntu Sudo Timeout 

In Ubuntu, sudo has a timeout built in for ease of use. I personally remove this timeout; without knowing you are using sudo will create all kinds of headaches in the future. When you make use of root privileges, we must explicitly type sudo each command.

sudo visudo

edit and add the following line to the config file

Defaults env_reset, timestamp_timeout=00

Setting Up The Firewall

After we have logged in via SSH for root user account. I recommend installing a powerful firewall called: ufw

apt-get install ufw
ufw allow ssh

Display the status of the firewall and determine if ssh has been allowed. If nomenclature ssh doesn't add the ports, we do this manually with ufw allow 22/udp & ufw all 22/tcp. Port 22 is the common port SSH server makes use of; we are able to change this port for extra hardening, but for the sake of this tutorial, we will use port 22.

ufw status 
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW        Anywhere                  
22/udp                     ALLOW        Anywhere

Now, we enable the firewall after we allow port 22. The SSH connection should remain open. If it closes, SSH back into your VPS.

ufw enable 

Check If Port Is Open 

Once telnet is ran, ssh information should populate

telnet 123.123.123.123 22
Trying 123.123.123.123...
Connected to 123.123.123.123.
Escape character is '^]'.
SSH-X.0-OpenSSH_X.2p1 Ubuntu-Xubuntu0.2

Invalid SSH identification string.
Connection closed by foreign host.

Creating New Users & Permissions

To further expand on the garden, we must define a secure space for each plant or service we are running. To manage each service, like dns, mail, gitea, etc... we create a new user for each of these environments. This separation is important for operational security (OPSEC).

adduser username

Note: If we want to use Dockerfile or auto script without prompts, we make use of the useradd command.

Adding user `username' ...
Adding new group `username' (1003) ...
Adding new user `username' (1002) with group `username' ...
Creating home directory `/home/username' ...
Copying files from `/etc/skel' ...
New password: 

Next, if the user should have sudo permission, we do the following.

usermod -a -G sudo username

Prove User was Created

cat /etc/passwd
...
username:x:1001:1002:User Name,,,:/home/username:/bin/bash
...

Logging In with New Username

su username

Update SSH Config 

sudo nano /etc/ssh/sshd_config

Add sudo to the AllowGroups like so: 

AllowGroups wheel root sudo

Next, we disable root login since we will only have root privileges when using sudo. 

PermitRootLogin no

SSH Directory Creation 

For New Username Creating new user access to SSH login. When you connect to new [email protected], the vps user needs the public key for verification of authorized user. Authorized users with correct private key will be able to login to vps via ssh protocol. 

mkdir ~/.ssh` `nano ~/.ssh/authorized_keys

Paste your public key we created earlier into the authorized_keys file.

Update file & folder permissions

chmod 700 ~/.ssh` `chmod 600 ~/.ssh/authorized_keys

Restart SSH service 

sudo service ssh restart
exit

In conclusion, we are now able to login via SSH with new user and have also disabled root user logins. This process will have to be done for each user that is created. 

Backups with Rsync Superpowers!

After all our hard work and focus, we should backup our VPS and create scheduled routines. Depending on your use case, I would recommend at least weekly backups. The following command is quite complex, but, essentially we are discarding folders we don't need, backing up the entire VPS to our local machine and preserving all permissions and file integrity from the VPS.

  • rsync - A fast, versatile, local and remote file-copying utility 
  • aAXv - The files are transferred in "archive" mode, which ensures that symbolic links, devices, permissions, ownerships,modification times, ACLs, and extended attributes are preserved.
  • / = Source root directory
  • --exclude Excludes the given directories from backup.
sudo rsync -aAXv --rsh="ssh -i /home/user/.ssh/id_rsa" --recursive --progress --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found","/backups/*"} [email protected]:/ /home/user/VPS/Backups/

Sources

CharlesCharles