Self Host 101 - Set up and Secure Your Own Server
Summary
TLDRThis video tutorial offers a comprehensive guide to securing a newly created Virtual Private Server (VPS). It begins by highlighting the importance of locking down a VPS to protect against relentless hacking attempts. The host, CJ, demonstrates how to update and upgrade the VPS to its latest secure state, change default root passwords, and create a non-root user with sudo privileges. The tutorial also covers setting up SSH key-based authentication to replace passwords, disabling root login via SSH, and configuring firewall rules to restrict access to necessary ports only. Finally, it introduces the setup of unattended-upgrades to keep the system updated automatically, ensuring a secure and well-maintained server environment.
Takeaways
- 🛡️ The importance of securing a VPS from the constant threat of automated hacking attempts targeting default login credentials.
- 🔑 Demonstration of checking for SSH login attempts to identify any unauthorized access to a new VPS.
- 🔒 Basic steps for setting up and securing a VPS, including running updates and upgrades to protect against vulnerabilities.
- 👥 Introduction to the concept of least privilege by creating a secondary user with limited permissions to perform administrative tasks when necessary.
- 🔄 The necessity of keeping the system updated with the latest security patches through regular package upgrades.
- 🔒🔑 Transitioning from password-based SSH logins to key-based authentication for enhanced security.
- 🚫 Disabling password authentication in SSH to prevent brute force attacks.
- 🔒🚫 Prohibiting SSH access for the root user to further secure the server against unauthorized access.
- 🔄 Using application firewalls like UFW to control network traffic and close unnecessary ports.
- 🔄🔒 Configuring the firewall to allow traffic only from specific IP addresses to limit exposure.
- 🤖 Implementing unattended-upgrades to automate the process of keeping the system updated with the latest security patches.
Q & A
What is the main purpose of the video?
-The main purpose of the video is to guide viewers on setting up and securing a new Virtual Private Server (VPS) to prevent unauthorized access and potential attacks.
Why is it important to check for SSH login attempts on a new VPS?
-It is important to check for SSH login attempts because hackers are constantly running automated scripts to exploit vulnerable servers, and being aware of such attempts can help in taking preventive measures.
What does the video offer for different types of users interested in VPS?
-The video offers a basic guide suitable for complete beginners, hobbyists, and developers, showing them how to create a secure and locked-down VPS ready for various services.
What are some examples of self-hosted applications one might run on a VPS?
-Examples include personal media servers like Plex or Jellyfin, cloud services like Nextcloud, photo hosting with PhotoPrism, password managers like Bitwarden or Passbolt, custom Discord bots, web servers like Nginx or Apache, and databases like MySQL, PostgreSQL, MongoDB, or Redis.
What is the difference between a VPS and PaaS?
-A VPS provides a virtual machine with full control over the operating system and software, while PaaS (Platform as a Service) offers a platform to deploy applications without managing the underlying infrastructure.
How does one connect to a VPS using SSH?
-One connects to a VPS using SSH by opening a terminal, typing 'ssh' followed by the username and the IP address of the VPS, and then entering the password when prompted.
Why is it recommended to run updates and upgrades immediately after connecting to a new VPS?
-Running updates and upgrades ensures that the VPS is running the latest versions of all packages, which often include security patches and bug fixes, thus making the system more secure.
What is the principle of least privilege and how does it relate to VPS security?
-The principle of least privilege suggests giving a user only the permissions they need to perform their tasks. In the context of VPS security, it means not running all commands as the root user to minimize potential damage from any security breaches.
How can one create a secondary user on a VPS with limited permissions?
-One can create a secondary user with the 'adduser' command and then add this user to the 'sudo' group to grant them the ability to perform superuser actions when necessary, without having root privileges all the time.
Why is it advised to change the default password for the root user on a new VPS?
-Changing the default root password is advised to prevent unauthorized access, as the default password provided by the VPS provider could be known or easily guessed.
What is SSH key-based authentication and how does it enhance security?
-SSH key-based authentication uses a pair of cryptographic keys, a public key and a private key, to authenticate the user to the server without the need for a password. This method enhances security by making it harder for unauthorized users to gain access, even if they know the username.
How can one disable password authentication for SSH on a VPS?
-One can disable password authentication for SSH by editing the 'sshd_config' file, setting 'PasswordAuthentication' to 'no', and then restarting the SSH service.
What is the purpose of changing the default SSH port on a VPS?
-Changing the default SSH port can help deter automated attacks that target the standard port (22), as it forces potential attackers to discover the new port number before they can attempt to exploit it.
How can one restrict SSH access to specific IP addresses?
-One can restrict SSH access by setting up firewall rules that only allow connections from specified IP addresses, using either the VPS provider's dashboard or command-line tools like 'ufw'.
What is 'unattended-upgrades' and why is it useful for a VPS?
-'unattended-upgrades' is a program that automatically installs security and other updates on a system without user intervention. It is useful for a VPS as it helps keep the system up-to-date with the latest security patches and software updates, reducing the risk of vulnerabilities.
How can one ensure that automatic updates are enabled on a VPS?
-One can ensure automatic updates are enabled by installing the 'unattended-upgrades' package and then running 'dpkg-reconfigure' to enable automatic upgrades through a configuration wizard.
Outlines
🛡️ VPS Security Basics and Setup
This paragraph introduces the importance of securing a Virtual Private Server (VPS) against constant hacking attempts. The narrator, CJ, explains the need to monitor login attempts and the benefits of running a command to reveal such activities. The video aims to provide a series of tutorials on self-hosting with a VPS, starting with the essentials of setting up and securing a server. The target audience ranges from beginners to developers interested in managing their own servers. The video promises to cover the creation of a secure, service-ready VPS, with potential future topics including turning the VPS into a web or database server.
🔄 Updating and Upgrading VPS for Security
The second paragraph focuses on the initial steps to secure a VPS, starting with updating and upgrading the system to the latest versions. The narrator demonstrates how to use the 'apt' command to update package lists and upgrade installed packages on an Ubuntu-based system. The importance of keeping the system up-to-date to protect against vulnerabilities exploited by hackers is emphasized. The paragraph also covers handling kernel upgrades, which require a system reboot, and checking for the need to reboot after updates are installed.
🔑 Changing Root Password and Introducing Principle of Least Privilege
This section discusses the importance of changing the default root password upon the first connection to a VPS. It introduces the principle of least privilege, advocating for the creation of a secondary user with limited permissions to perform superuser tasks only when necessary. The process of adding a new user, setting a unique password, and adding the user to the 'sudo' group to allow for elevated permissions when required is detailed. The narrator also explains how to verify group membership and test the new user's ability to perform superuser actions using the 'sudo' command.
🔒 Transitioning to SSH Key Authentication
The fourth paragraph outlines the process of transitioning from password-based SSH authentication to key-based authentication to enhance security. It explains the necessity of having an SSH key pair generated on the local machine and the steps to add the public key to the VPS's 'authorized_keys' file. The narrator demonstrates how to edit the file using 'nano' and the importance of using the SSH key for authentication instead of a password, thereby preventing brute-force attacks.
🚫 Disabling Password Login and Root SSH Access
This section describes the steps to disable password-based login entirely and prevent root user SSH access to further secure the VPS. The narrator guides through editing the 'sshd_config' file to set 'PasswordAuthentication' to 'no' and 'PermitRootLogin' also to 'no'. The importance of restarting the SSH service to apply changes is highlighted. The paragraph concludes with a test to ensure the new settings prevent password logins and root SSH access, reinforcing the VPS's security posture.
🔄 Network Firewall Management and SSH Port Customization
The paragraph discusses network security by managing firewall policies and customizing the SSH port to deter automated attacks. The narrator explains how to close unnecessary ports and change the default SSH port to a different number to avoid common automated scripts. The use of 'ufw' for firewall management through the command line is introduced, as well as the option to restrict access to specific IP addresses. The paragraph also touches on the convenience of leaving SSH on the default port and the importance of regularly updating the system for security.
🌐 Final Security Measures and Future VPS Plans
The final paragraph wraps up the security measures by installing 'unattended-upgrades' to ensure the system stays updated automatically. The narrator explains how to enable and configure the service to apply updates automatically, including security and other package updates. The paragraph also hints at future videos in the series that will cover setting up web servers, databases, and SSL certificates on the VPS. The narrator invites viewers to share feedback and corrections to improve the tutorial's accuracy and usefulness.
Mindmap
Keywords
💡VPS
💡SSH
💡Automated Scripts
💡Security
💡Principle of Least Privilege
💡SSH Key
💡Firewall
💡Unattended-Upgrades
💡Port
💡Root User
Highlights
Introduction to securing a new VPS against automated hacking attempts.
Demonstration of checking SSH login attempts to identify vulnerabilities.
Series overview on self-hosting with VPS, including turning it into a web or database server.
Explanation of VPS uses, such as hosting personal media servers or cloud services.
Discussion on the benefits and considerations of self-hosting applications and databases.
Comparison of VPS with other hosting options like PaaS in episode 730 of Syntax.
Instructions on setting up a VPS with Ubuntu, including system requirements and initial setup.
SSH connection tutorial for accessing the VPS using a terminal.
First steps after logging into a VPS, such as updating and upgrading the system.
Importance of keeping the VPS updated to protect against exploits.
How to change the root user's password for enhanced security.
Principle of least privilege and creating a secondary user with limited permissions.
Enabling a new user to perform superuser actions when necessary.
Transitioning from root to a new user for daily tasks to improve security.
Setting up SSH key authentication to replace password-based logins.
Disabling password login to prevent brute force attacks.
Preventing root user login via SSH to further secure the server.
Managing network and firewall policies to control inbound connections.
Using ufw or provider dashboard to manage open ports and close unnecessary ones.
Changing the default SSH port to deter automated attacks.
Restricting specific ports to certain IP addresses for enhanced security.
Installing and configuring unattended-upgrades for automatic system updates.
Customizing update settings and ensuring the service is active for ongoing security.
Conclusion and invitation for feedback on securing a VPS for practical applications.
Transcripts
you are looking at SSH login attempts to
a brand new virtual private server that
I just created and if you have your own
VPS and you haven't taken the steps to
lock it down try running this command to
see if there are login attempts
happening and you'll be surprised to
what you find because there are hackers
running automated scripts 24/7 trying to
find and exploit vulnerable servers and
you don't want to be a victim of this
now in this video I'm going to show you
the basics of setting up and locking
down a VPS to prevent these login
attempts and automatically block other
types of attacks as well this will be
the first video in a series on
self-hosting with the VPS so if this
kind of thing interests you let us know
in the comments and also stick around
for future videos in the series where we
take this VPS and turn it into a web
server or a database server now whether
you're a complete beginner a hobbyist or
a developer that wants to start managing
their own servers this video will show
you everything you need to know to
create a secure locked down VPS that's
ready to run any service you throw at it
so let's jump in I'm CJ welcome to
sentense
now if you're new to the world of vpss
welcome there are a lot of things you
can do with them and a lot of reasons
why you would want to manage one
yourself now a VPS is just one way to
host things on the web if you're
interested in learning about more check
out episode 615 of syntax where Wes and
Scott compare the different kinds of
hosting and the various providers now
like I mentioned you can do a lot of
things with a VPS and one of the reasons
people typically start learning about
and looking into VPS is to self-host uh
things like a personal Media Server Like
Plex jellyfin or MB or host their own
cloud with something like nexcloud or
host photos with something like Photo
prism or host your own password manager
with like bit Warden or passbolt uh but
you can also self-host your own
applications and web services things
like a custom Discord bot or some long
running process or like a websocket
server or self-host your own instance of
Sentry you could also run web servers
like enginex Apache or caddy you can
host databases like MySQL postgress
mongodb or reddis and others and
ultimately reduce your dependency on
managed services like versell netlify
Heroku render Railway fly.io am I
missing any and also manage database
services like AWS RDS Planet scale neon
and others now in episode 730 of syntax
Wes and Scott talk about some of these
paas or platform as a Service
Alternatives they talk about things like
uh piku doku Kubo cap Rover kifi
probably a couple others and these all
allow you to get the same functionality
as verell or netlify but running on your
own server now managing a VPS is not not
for the faint of heart it requires
constant attention and maintenance which
is why managed Services exist and why
this type of thing is typically a
full-time job but if this kind of thing
still interests you let's get into it
now the next part of this video will
assume that you want to set up a VPS and
you have acquired one so like I
mentioned check out episode 615 of
syntax if you'd like to know where to
get one and more about these various
hosting providers now I'm going to be
setting up a tiny VPS it's running
Ubuntu
22.041 gig of RAM 1 CPU and 10 GB of dis
space now this video is not sponsored by
any VPS hosting or domain provider so
I'm going to keep things fairly generic
so you can use whatever you can afford
and whatever you prefer now depending on
the type of workload you're going to be
running on this VPS you might need
better specs but for me I'm going to
have a few static sites a few node.js
applications and a couple databases so
the minimal specs that I mentioned will
work for what I need to
do now let's connect to rvps for this
we're going to use a thing called SSH
and you're going to need a terminal to
do this now on a Mac I am using an app
called iterm you can also use the
buil-in terminal on a Mac if you're on
Windows there's a thing called Windows
terminal if you're on Linux just search
for the app called terminal and open it
up and we're going to want to run the
command SSH so once it's open we're
going to type SSH and then we'll need to
type the username that has been set up
for us on the VPS now this is going to
vary by where you got your VPS for me
the VPS username is root and we're going
to log in with that you yours might be
admin or Ubuntu or Debian uh it might
vary but for me it's root and then after
the at sign we're going to put in the IP
address of our server now this IP
address will be listed in whatever
dashboard of wherever you got your VPS
but this is a public IP address and that
means anyone in the world that's on the
internet will be able to access uh the
server at this IP address just like
we're about to access this server now
you should have a command that's SSH
username at IP address hit enter and now
it's going to attempt to connect now the
first time you're ever connected ing to
a server you're going to see this
warning and here you can just type yes
and what this is doing is it's storing
the fingerprint of this server on your
computer so the next time you connect
it's going to validate that
fingerprint now uh the next time you
connect you shouldn't see this warning
and if you ever see this warning again
and you haven't changed anything on the
server then that means something has
gone wrong something is potentially
compromised like the the SSH key on the
server has actually changed and
sometimes there's a legitimate reason
for that uh but just so you know you
should only see that warning the first
time you connected the server and you
shouldn't see it anytime after that now
we'll need to type in our password now
as you type you're not going to see
anything on the screen here in the
terminal but as long as you type
everything correctly you should get
connected to your
server now one of the first things you
should do when you connect to your VPS
for the first time is run updates and
upgrades so like I mentioned earlier I'm
running Ubuntu
will work if you're on an Ubuntu or dbn
based system now depending on what your
VPS has set up for you if you are not
connecting as the root or super user
then all of these commands you're going
to need to type pseudo in front of so
like pseudo apt upgrade or pseudo apt
install for me because I'm running as
the root user I will not need to put
pseudo in front of those commands but if
you try running those commands and it
says you don't have permission put
pseudo in front of them so the first
thing we're going to do is just say apt
update now this command isn't going to
actually upgrade anything it's just
going to to update the package lists
locally on your machine so when you do
run an upgrade or you do run an install
it's always grabbing the latest versions
from those specific repositories so now
that we have the latest package list you
can see that it says 76 packages can be
upgraded so we're going to run the
upgrade command so I'll just do apt
upgrade and that's going to grab and
install all of the latest versions of
all the packages that I have installed
and we can confirm this with Y and it'll
start downloading and and upgrading
everything now you might be wondering
why are we upgrading one of the ways to
keep your VPS secure is to always be
running the latest versions of all
packages because when hackers attempt to
gain access to a machine or exploit a
machine typically they're taking
advantage of old broken versions and so
anytime a a package has an upgrade a lot
of times it's potentially a bug fix or a
vulnerability fix and so we always want
to make sure we're always running the
latest versions of all packages just to
make sure that we always have the latest
fixes and patches for for anything that
we're using on our system now when you
run this upgrade you may or may not see
this notice that there is a pending
kernel upgrade now the kernel is like
the root of the operating system and
this is another thing that could
potentially be be vulnerable so we
always want to be running the latest
version of the kernel now if you upgrade
the kernel you are going to have to
restart the machine which is why we
typically want to run these commands
before we do anything else on the VPS
because we're going to need to reboot it
a few times before we can start running
our own applications so I am going to do
the kernel upgrade here and then uh from
there will'll likely restart our
machine now this is asking me what
services should be restarted uh like I
said we are going to restart the entire
machine so we actually don't really even
have to worry about this I can just okay
through it because once we reboot the
whole machine then all of these services
will be restarted anyways now that all
of the upgrades have run and in my case
I also upgraded the kernel you can do
this to determine if you need to reboot
so if you do an LS of /var run/ reboot
required if that exists that means your
machine needs to be rebooted and uh
there are different ways to do this you
can actually do this from the command
line if you just type reboot but you can
also do it from your VPS dashboard and
that's how I'm going to do it just
because I want to make sure that this
thing actually reboots because if you
accidentally shut down the machine and
there there's no way to restart it in
your dashboard you're going to have to
reach out to like to the support team of
where wherever you're hosting your VPS
so for my VPS there's a dashboard where
I can literally say restart VM so I am
going to exit from my SSH session here
go to my dashboard and restart the VPS
now that the machine has rebooted we're
going to SSH back in and once you're in
as long you shouldn't see system restart
required that's a good sign and also if
it says zero updates can be applied
immediately you should be good to go but
since I upgraded the kernel it's likely
that some packages some more packages
can be upgraded as well so we are
actually going to do an apt upgrade
again now in my case it says there are a
couple of packages that have been kept
back and it didn't autoinstall them so
I'm actually just going to try to
install them directly so I'm going to
copy their name and then just do an apt
install with those names now you may not
have gotten that error and that's
completely fine if it says you have no
upgradeable packages you're good to go
but at this point because I did install
those if I do an app upgrade now I
should see uh there's nothing to be
upgraded which means I'm on a fully
upgraded
system now the next thing I'll do is
change the root users password now uh
for me in my VPS dashboard they
literally gave me a password that I
could copy paste to log in as the root
user and I don't want to be able to do
that so I'm going to change it to
something that only I know and something
that can't be copy pasted from the
dashboard so if you type
PWD that will prompt you to change the
password for the currently logged in
user in this case I'm going to change
the password of the root user now you
won't see anything when you're typing
your password but as long as you type it
correct both times it'll change the
password now to check it I'll exit the
SSH session and relog in with my new
password
so I've confirmed my updated password
works now we can start locking down the
server and one of the first Concepts
you'll learn in security is the
principle of least privilege and if
we're running all of our commands as
root we always have super user
privileges if you actually if you type
ID in the terminal and your user ID is
zero that means you are the super user
you can do anything on this machine and
there are some things we need super user
privileges for but we don't need it for
everything so we're going to create a
secondary user and they will not have
super user permissions by default but
will be able to run things with super
user permissions if they require it now
to add a new user we can use the add
user command so I'm going to type add
user and then the name of the user in
this case I'm going to call it CJ
because that's
me so this will create the user and it's
going to ask for a password now give it
a password but give it a different
password than the root user you don't
want those passwords to be exactly the
same for security purposes so I'm going
to give this a password now after you
set up the password It'll ask you a few
more questions just fill those out and
for some of these you can just leave
them blank if you don't have any info
for them now that we've created the user
they're a regular plain old user they
can't do anything as the super user yet
but what we'll do is We'll add them to a
group called pseudo and that will then
allow them to perform Super User actions
if they need to so to do this we're
going to do a user mod we'll do-
lowercase A- capital G and then we will
specify pseudo and then the username in
this case my username is CJ now from
here if we want to make sure it worked
we can type groups and then the name of
the user and we'll see the groups that
they're in so by default a user is
always in a group with their own name so
I'm in the CJ group but you can see that
we've added that pseudo group as well so
now to try this out let's actually exit
our SSH session as root and try logging
in as this new user that we created so
I'm going to exit we're going to do an
SSH but now instead of logging in as
root we're going to type the username
that we just created we'll type in the
password and we're good to go so now we
are able to log into the machine but not
as the root user and like I said this is
is one of the first steps of locking
down the machine is making sure that
you're not always doing things as the
root user now you can see that Ubuntu is
actually being very helpful right now
and it's saying uh if you want to run
something as the administrator or as the
super user you can use the pseudo
command so for example if I tried
running an app update like we did when
we were under the root account you'll
see this error and basically that means
we don't have permissions to do it but
if I'd like to perform this action as
the super user I can do pseudo apt
update now it's going to ask for your
password the first time and this is your
user password so just typee that in and
from there it will run the command with
super user privileges now you can use
this pseudo command for any command that
you want to run as the super user now if
you're new to Linux and the the pseudo
command um you you are basically
unlocking the ability to understand this
classic XKCD joke of um if you put
pseudo in front of any command you now
are executing it as the super user and
pseudo used to stand for super user do
uh but now the command can also be used
to run commands on the machine as other
users as well so it actually stands for
substitute user do and it allows you to
perform commands as other users and by
default it'll perform the commands as
the root
user now the next step in locking down
the machine is making it so that we
connect with an SSH key instead of a
password now to do this you will need an
SSH key I'm going to link this article
by GitHub in the description it shows
you how to generate an SSH key if you
don't have one uh but the next steps
will require you to have an SSH key now
it's important to note that SSH key that
you generate should be generated on your
local machine the machine that you're
going to be connecting to the VPS from
not on the VPS itself so make sure when
you follow the directions to generate
the SSH key it's happening on your local
machine now that SSH key locally on your
machine lives in your home folder in a
folder called SSH and for me this is the
public key file and if we run the cat
command on it we can see the contents of
it now this is completely okay to share
because this is my public key
I would not want to share the private
key which is in the file without the pub
on it but the public key completely okay
to share and this is what we need to add
to the server to be able to log in using
this SSH key now let's add this public
key to the VPS so I'm going to copy the
my public key and then over on the VPS I
need to create a folder in my home
folder called SSH so right now I'm in my
home folder I'm going to make a
directory called SSH and then I need to
create a file called authorized unor
keys now to do this I'm going to use a
command line tool called Nano it's very
easy to use basically it's a command
line text editor and then I'm going to
specify the file name so I want to edit
the file called SSH SL authorized
Keys now once I'm in here this is just a
text editor I can I can type whatever I
want but I need to put my public key
into this file so I'm going to paste it
in and then I'm going to exit and save
the file so you you can see in Nano it
literally tells us to exit we can press
crl X and then to save it we'll press
press Y and then hit enter so now my
public key is in that authorized key
file and that's actually all we need if
I exit my session here and then try
sshing back in you'll notice it doesn't
ask for my password and just instantly
logs me in and this is because behind
the scenes it was doing a public private
key negotiation and allowed me to log in
with my SSH
key now that we've set up our SSH key we
are going to disable password login in
entirely and this is how we're going to
stop attackers from trying a bunch of
different passwords is no one will be
able to log into our server with a
password you have to use an SSH key once
we enable this setting now it's
important to note if you're connecting
to this VPS from other computers you're
going to need to make sure that you set
up an SSH key on those machines as well
and you add the public key to that
authorized Keys file that we worked on
earlier but at this point let's disable
password login now to disable password
login we're going to need to edit the
sshd config we'll use pseudo for this
because we need super user to edit that
file we'll use Nano because it's a text
file and the file is ATC SSH
sdore config now we'll edit this file
and because we're using pseudo we'll
have to type in our user password now
once we're in the file we can hold the
down arrow to get to the section on
password
authentication now I will note that in
the previous section I said that login
with SSH key would just work if it's not
working for you it's possible that this
setting was not set to yes so make sure
that you set this setting to yes but
we're looking for the password
authentication setting so yeah right now
password authentication is set to yes I
want to set this to no and then save the
file now on my machine there's actually
another config that I need to update and
that is in the D folder so if we take a
look in that folder there's also sshd
config.inc authentication set to yes so
I want to make sure that I set this one
to no as well so we'll save that update
it and now we need to restart the SSH
service to get these settings to kick in
so I'm going to do pseudo service SSH
restart now to test if this worked let's
actually try logging in as the root user
so I'm going to ssh in as root and if we
get this error permission denied public
key we know that it's working because we
didn't set up a public key for the root
user we only set it up for our other
user and uh now we actually can't log in
with the password uh as the user but if
we try sshing in as the user we created
the public private key exchange should
happen and we should get logged into the
machine now we've locked things down so
we can only log in Via an SSH key but to
lock things down even further we're
going to prevent login via the root user
over SSH entirely so to do this we'll
jump into that same config file we're
going to go down to the section that
says permit rout login and we're going
to remove the hash will actually which
will actually enable this configuration
by default without password just means
that it would only allow the public
private key authentication for the root
user but we're actually just going to
set this to no and that way the root
user cannot log in bya SSH at all so
we'll save this file and then we'll
restart the SSH service so we'll do
pseudo service SSH restart and from here
root can no longer log in bya
SSH
now the next step in locking down your
VPS is to control the network and
firewall policy now for me my VPS
provider has a dashboard where I can
open and close various ports on the
firewall you might have that as well
you're going to want to look for a
section called ports or firewall or
network uh but if you don't have that
section in your VPS provider dashboard
you can actually use an application
firewall so built into Ubuntu is an
application called ufw or uncomplicated
firewall and it allows you to control
the firewall from the command line
directly on the VPS itself but uh since
my provider has a dashboard where I can
control all of the ports and everything
I'm going to be using that for all of
these this network stuff that I talk
about now the first thing we'll do is
close all ports that don't need to be
open now if you're new to all of this
stuff ports are like little doorways on
your computer that can receive and
respond to network requests and so for
example we've been connecting to our VPS
via SSA and by default the SSH service
is running on Port 22 to respond to
those SSH requests now um if if you're
not running anything else on your
machine that needs to be exposed to the
internet like you don't have a web
server or you don't have a database or
anything else you can just close down
all other ports so either use ufw to do
this from the command line or go into
your VPS provider dashboard and any
ports that it has open like a lot of
times Port 80 and 443 will be open by
default because the provider assumes
that you're going to be running an H
HTTP or https service and that's those
Services respond on those specific ports
but if you're not going to have a web
server there you can close those ports
so just remove those rules that that
open up those ports or if you're using
ufw uh use it to either open or close
those
ports now one of the common things
people do to lock down a machine further
is change the port that SSH is running
on now we mentioned it runs on Port 22
but you could run it on 2222 or 4242 you
could pick a port number um and to do
that you would need to go into your
firewall whether it's in a dashboard or
it's from the command line and open up
the port that you run want to run SSH on
and then you can go into that
configuration file that we were in
earlier and there's actually a section
that will let you set the port that SSH
runs on now if you do this this is one
way of preventing automated attacks
against your server because a lot of
scripts that hackers are running will
assume that SSH is running on Port 22 if
Port 22 is open so if you close 22 and
run SSH on a different port that's going
to prevent those automated attacks now
there are ways of poking and pting at a
server to figure out what ports are open
and if any ports are open attempting to
figure out what services are running on
those ports so a Savvy hacker will still
be able to find your SSH Port even if
you change it from the default 22 now
personally I like the convenience of not
having to type in the port number when I
SSH so I just leave SSH running on Port
22 but again that's this is one way of
locking down the Sur if you want to
prevent those automated login
attempts now you can further lock down
these ports by restricting access to
specific IP addresses Now by default if
you're setting up a rule and it has the
ipv4 address
0.0.0.0 that means allow and respond to
requests from any IP address but let's
say for instance you only want to allow
access to Port 22 from your computer
that you're running right now if you
have a static IP address that means an
IP address that doesn't change you can
set up that firewall rule so that it
only allows connections from your IP
address now I don't have a static IP
address I'm just running home internet
um and so day-to-day my IP address might
change but if you're at a business or
you're paying your internet service
provider for a static IP address then
this is a kind of rule that you can set
up where basically in the rule instead
of 0.0.0.0 you put your IP address and
now your server will only allow
connections on that specific Port from
the IP address that you sp
specify now that things are locked down
we're going to want to make sure that
our system stays up to date and so for
this we're going to install a program
called
unattended-upgrades so from the command
line if you do pseudo app install
unattended-upgrades this will install it
now my system came preconfigured with it
but if yours didn't you're going to need
to install it from here we're going to
enable automatic updates so you do
pseudo D package - reconfigure
unattended-upgrades this will run a
little uh configuration wizard you just
want to say yes on enabling automatic
upgrades now from here you're good to go
but you might want to customize it some
more so I'll link to the documentation
in the description but you'll notice
that they talk about a specific config
file that you can modify so if we take a
look at this there are some settings
inside of there like the kind of updates
that should be applied and also further
settings like should the machine be
automatically rebooted and stuff like
that so if you say pseudo Nano and then
the location of that file you can edit
it now by default only security updates
are enabled so these two lines here and
these two lines here are for security
updates but if you want to automatically
update other types of packages as well
you can uncomment these lines so if you
remove these two slashes that actually
makes it so that this line will be
matched whenever it's running the
automatic upgrades as well so I'm going
to do this for updates because this will
just update regular packages as well now
like I said there are other options in
here I'll link the git repo that talks
about the other kinds of options but
there are options in here also for
things like automatically rebooting uh
picking what time the server should
should reboot uh you can also set up
mail so that it sends you an email if
there are updates that need to happen
these kinds of things now from here we
want to make sure that the service is
running so if I do a pseudo system CTL
status for unattended upgrades as long
as you see this output with a little
Green Dot there then that means the
service is running in the background and
it will be automatically installing
updates now at this point you can do
whatever you want on your VPS you can
open ports you can install Services it's
yours to do what you would like uh
personally I'm a web developer so in the
next video in this series I'm going to
set up this machine to be a web server
I'm going to set up some static sites
I'll have some nodejs apis running I'll
have a couple of databases running
inside of containers I'll have reverse
proxies set up with subdomains and also
set up some SSL certificates so if
you're interested in that kind of thing
let us know in the comments but also uh
stick around for the next video in this
series that's all I have for you for now
if you enjoyed this let us know in the
comments if there are some pieces that I
missed let us know in the comments as
well um I absolutely want this to be a
valid and secure resource for people
that are setting up a VPS so if I said
anything wrong or you think things could
be done better let me know in the
comments I'll add them as corrections to
this video so that's all I got for now
I'll see you in the next
[Music]
one
関連動画をさらに表示
Hardening Access to Your Server | Linux Security Tutorial
Things To Do After You Install Kali Linux 2023 - (FOR NOOBS)
VS Code Remote SSH - How to Set Up Passwordless connection
How To Configure SSH On A Cisco Device | Secure Connection
Serverless might bankrupt you (and how to deploy to a VPS instead)
SSH Keys
5.0 / 5 (0 votes)