Tips To Securing A Development Server or VPS on Ubuntu 18.04.03 LTS

DISCLAIMER: This guide is more for beginners or users who have little to no experience in managing a VPS. More experienced users by now would have figured out a solution to setting up their VPS for the first time.

This guide was written on the basis that you would be using a Ubuntu-based Operating System.

(Tip #1) Setting Up A VPS For The First Time
One of the first things I do when receiving a VPS for the first time would be changing the password.

You can do this by running the command sudo passwd as root to change the root password or just passwd as a normal user. You will be asked to confirm the password twice and there is no method to escape the prompt until it has been completed.

I personally recommend making your password a mix of uppercase and lowercase letters with a sprinkle of symbols and numbers no more than 16 characters long.

(Tip #2) Update Your Packages and Install Security Updates
This one is quite simple. Depending on when you read this, there may be a new version of your OS available.

You can update your system by running the following command: sudo apt update && sudo apt upgrade -y.
Running sudo apt update updates the repository list from Ubuntu’s Repository Servers.
Running sudo apt upgrade -y tells the interface that you want to upgrade all of your packages to the latest stable version. Using the modifier -y tells the system to automatically use the disk space without user confirmation.

Occasionally, you may see a menu pop up for GRUB as I had noticed when writing this guide.

You can continue through this prompt by using the arrow keys to select your device /dev/vda/ and pressing the SPACE key to select that device noted by the *. Press TAB so you highlight the [Ok] and press ENTER to continue with the setup.

After being returned to the console, you will need to restart your server with sudo reboot now to apply updates before we can make sure your using the latest Ubuntu release. After a minute to three, you should be able to SSH to your server.

Run the following command to check for new releases to Ubuntu: sudo do-release-upgrade.
Doing so will begin the installation of the next version of Ubuntu.

If there is an update available you will see a couple prompts, one asking you to press y to confirm an additional SSH daemon to be opened on port 1022. Press y and hit ENTER twice. After fetching new packages, you will be prompted to continue again. Hit y and then ENTER. This time, the installation could take a little bit, so you can grab a quick drink and snack to watch the lines move upwards. Soon enough, you will recieve a message of “System upgrade is complete. Restart required.”. Go ahead and type y and press ENTER. Your system will now reboot.

(Tip #3) Change Your SSH Port
It is ideal to change your default ssh port of 22. In the time that I was writing this guide (about an hour and half has elapsed from when I created a VPS), my VPS has received around 50 attempted logins from the outside world. Most of them from Japan it seems. You can avoid the resource of the attempted logins waiting to authenticate by changing the default port.

You can change your SSH Port using the command sudo nano /etc/ssh/sshd_config.

Find the entry (sometimes on Line 13) that shows #Port 22, you can remove the # symbol to allow the setting to be read, and change the port number 22 to another number such as 5525 or 2323 as Port 5525.

Pressing CTRL and X will ask you if you would like to “Save Modified Buffer” . You can press y and ENTER to save your changes. You can press CTRL + C if you made a mistake and want to edit the file again.

Running the command sudo service ssh restart will restart the service and change your port of SSH. Next time you want to login, you will have to specify this port to log in.

(Tip #4) Create A Secondary Root User
It is pretty dangerous to login to root from SSH, so it’s recommended to use a different user to login and escalate to root. Take the time and think of a username you would want to use that wouldn’t be easily guessable. Once you’ve decided on a username, you can follow along replacing the username you want with the placeholder in the text.

  • adduser [USERNAME]
    • You will be prompted to enter a password.
    • When prompted for a name, you can answer with nothing.
    • Answer with a y when asked the information is correct.
  • usermod -aG sudo [USERNAME]

Your user will now have access to use the same commands as root but prefixed with the sudo command.

(Tip #5) Disallow Root Login and Setup Password-less Authentication

You can disallow logins from root and secure your server even more with SSH Keys. This could technically be overkill, but as they say “When someone has access to your server, it technically isn’t your server anymore.” so we want to secure it as much as possible.

Chances are you are using a program called “Putty” to SSH into your server from Windows. Chances are you also installed Putty’s sister software, “PuttyGen” or “Putty Key Generator”.

Putty Generator You can set your key settings to RSA and 2048 bits for a secure key. You can click “Generate” and move your mouse around the blank space to generate some randomness. Save your private key to your Documents folder as ssh.ppk and ignore the saving without a passphrase warning. Your public key is at the top. Highlight the entire public key and copy it to your clipboard.

Run the following commands on the user you wish to assign this SSH Key to.

  • cd ~ && mkdir .ssh && cd .ssh/
  • nano authorized_keys
    • You can paste the contents of your public key to be pasted into the OpenSSH file here.
    • CTRL + X and reply with Y to save the file.
  • cd ~ && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

This ssh key can be used to login without using any passwords.

To disable root logins, we can go back to Tip #3 and edit our SSH Config using the following keys in our config:
PermitRootLogin yes and change that to PermitRootLogin no. A little further down, you can look for a key with #PasswordAuthentication yes, you can enable this key by removing the # prefixing the key and changing the setting to no. The same can be done with #PermitEmptyPasswords no except you keep it set to no. CTRL + X and answer with y to save file and run sudo service sshd restart to save the file.

We now need to configure putty to authenticate with our Private Key we assigned to our user before.
Follow the steps to enter your new username followed by an @ symbol and your IP Address of your VPS as shown below. If you changed the port of your ssh server, you can change is shown by the step 2.

As step 3 shows, you can click the Connection > SSH > Auth tab as pointed and and set your private key file for authentication. After setting your PPK Private Key in Auth, you can go up to Session and select “Default Settings” and click “Save”. You will now be able to open Putty and click “Open” and automagically login to your VPS!

These were my tips for securing a vps on the SSH side, there is still more stuff you can do such as implementing a firewall such as UFW or IPTables to limit access to open ports. You can implement fail2ban on your SSH to block repeated attempts on your SSH port.

I offer support for this guide, you can DM Kashall (me) on the Hyper Expert Community Discord if you have any issues and I will be glad to help.