*ฅ^•ﻌ•^ฅ* ✨✨  HWisnu's blog  ✨✨ о ฅ^•ﻌ•^ฅ

VPS security best practices - part 1

Introduction

It's been several weeks since I dove head-first into the world of DevOps, and I have to say, it's been a blast. Despite the occasional temptation to return to low-level programming, I've managed to stay on track and continue my DevOps journey.

In my previous posts, I explored the use of AWS, Azure, and Docker containers. Today, I'd like to share my experience with KVM (Kernel Virtual Machine) VPS.

Close to the metal

If you ever heard of "bare-metal" server, that's what KVM VPS is the closest to ~ we got full control over the resources allocated to our VPS. Other than that KVM provides better security as each VPS is isolated from the others and has its own dedicated resources.

kvm-structure image credit

This means if a neighboring KVM suffers a DDoS attack or experiences a spike in traffic, your server will remain unaffected.

You can find plenty of providers for KVM VPS, one of the most popular and cheapest is Herztner, other popular options: A2hosting, Hostinger.

---From here on we are going into the technicals---

Firewall

firewall

Firewalls: the bouncers of the internet. They keep the trouble-makers out and the good stuff in. Without one, your KVM VPS is like a nightclub with no security - anyone can get in and cause chaos. So, set up a firewall and keep the hackers at bay. Your data (and your sanity) will thank you!

Install ufw

I'm going to use ufw which is the simplest to use but works well.

apt install ufw

Set defaults

Not just the usual defaults, the HARDENED defaults!

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw status

Activate firewall

service ufw start 
ufw enable        
service ufw status

Fail2ban

brute-force

Fail2ban: the ultimate party crasher. It kicks out unwanted guests (aka hackers) who try to brute-force their way into your KVM VPS. By monitoring login attempts and temporarily banning IP addresses that show suspicious activity, Fail2ban keeps your server safe from pesky intruders.

Install fail2ban

apt install fail2ban

Config

cd /etc/fail2ban 
vim fail2ban.conf

Below is the content of fail2ban.conf:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Activate fail2ban

service fail2ban restart
service fail2ban status

Passwordless SSH

ssh

Passwordless SSH: the VIP pass to your KVM VPS. It lets you skip the annoying password prompt and get straight to business. But, more importantly, it's a major security win. No passwords means no brute-force attacks, no phishing scams, and no password-related headaches. With SSH keys, you can securely access your server without worrying about password vulnerabilities. It's like having a secret handshake with your server - only those with the right 'handshake' (SSH key) get in.

Local device

  1. Create SSH private-public key: ssh-keygen -t ed25519 -f ~/.ssh/key_name
  2. Add the key to SSH agent: ssh-add ~/.ssh/key_name
  3. Copy the SSH publickey to remote server: ssh-copy-id -i ~/.ssh/key_name.pub user@vps

Note: make sure you backup your .ssh directory, it is your computer's passport!

Remote VPS - config sshd

Below is the content of sshd_config:

PubkeyAuthentication yes
PasswordAuthentication no
AuthorizedKeysFile  .ssh/authorized_keys
AuthenticationMethods publickey

Restart SSHD service

service ssh restart --> for sysVinit 
systemctl restart sshd --> for systemd

Conclusion

By following these simple steps, you'll significantly boost your KVM VPS security and sleep better at night!

Note: if you read this post and you thought "Why is this article looks like a list of stuff to be done or a checklist??" --> the post is actually an expanded (wordier) version of my personal notes when I'm managing my VPS.

Below are screenshots of my original notes: