| title | slug | section | order |
|---|---|---|---|
Securing a VPS |
tips-for-securing-a-vps |
Getting started |
1 |
Last updated 2018/01/18
When you order your VPS, a distribution or operating system is pre-installed, but no security protocol is implemented natively. It is therefore up to you to secure your VPS, an aspect in which OVH cannot intervene.
This guide offers some general tips for securing your server.
Warning
While OVH provides you with the devices, the responsibility rests solely in your hands. Since we have no access to these machines, we are not their administrators. It is your responsibility to manage the software, and apply proper security measures on a daily basis. This guide is designed to help you with the most common tasks. Nevertheless, we recommend that you contact a specialised service provider if you have difficulties or doubts concerning the administration, usage or implementation of security measures on a server.
- You need to be connected via SSH to your VPS (root access).
We will offer you a number of practical tips. Please note that this is a general guide. Some commands need to be adapted to the distribution or operating system you are using. Some tips will advise you to use third-party tools. Please refer to the official documentation for these third-party tools, for any help you might need.
Distribution and operating system developers offer frequent software package updates, very often for security reasons. Keeping your distribution or operating system up-to-date is a key point for securing your VPS.
This update will take place in two steps:
- Updating the package list
apt-get update- Updating the packages themselves
apt-get upgradeOnce this step is complete, your system is up-to-date. This operation needs to be performed regularly.
One of the first things to do on your server is configure the SSH service listening port. By default, listening is set to port 22. It is, therefore, advisable to change it and not to leave it set to default values. This is because most server hacking attempts are made by robots that target port 22 by default. By modifying this setting, you make it harder for these robots to hack you, and your server will be a more difficult target.
Here is the command to modify the service configuration file:
nano /etc/ssh/sshd_config[!primary]
The command
nanois given as an example; you can use thevimcommand, or any other command that allows you to edit the sshd_config file.
You then need to find the following line:
# What ports, IPs and protocols we listen for
Port 22Replace the number 22 with the port number of your choice. Please do not enter a port number already used on your system. Save, and exit the configuration file.
You then need to restart your service:
/etc/init.d/ssh restartNow, when you request an SSH connection on your machine, you will have to indicate the new port:
ssh [email protected] -p NewPortWhen a distribution or operating system is installed, a password is automatically created for root access. It is strongly recommended that you customise it by modifying it. To do this, once you are logged in, simply enter the following command:
passwd rootYour system will then ask you to enter your new password twice to validate it. Please note - for security reasons, the password will not be displayed when you are typing it. You will, therefore, not be able to see the characters you type.
Once this is done, you must enter the new password the next time you log in to the system.
You can create a new user with the following command:
adduser CustomUserNameThen fill in the information requested by the system (password, name, etc.).
This user will be allowed to log in to your system via SSH, with the password specified when the account was created.
Once you are logged in to your system with these credentials, if you want to perform operations that require root rights, simply type the following command:
su rootYou must then enter the password associated with the root user to validate the operation.
The root user is created by default on UNIX systems, and is the user with the most rights on your system. It is not advisable and even dangerous to leave your VPS accessible only through this user, as this account can perform irreversible operations on your server.
We recommend that you disable direct root-user access via the SSH protocol.
To perform this operation, you need to modify the SSH configuration file in the same way you did previously when you modified the access port to your VPS:
nano /etc/ssh/sshd_configThen locate the following section:
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yesReplace the yes with no on the line PermitRootLogin.
For this modification to be taken into account, you need to restart the SSH service:
/etc/init.d/ssh restartNow, in order to log in to your system, use the account credentials (user) you have just created.
Fail2ban is an intrusion prevention software framework designed to block unknown IP addresses that are trying to penetrate your system. This software package is recommended, even essential, to guard against any brute force attacks on your services.
To install the software package, use the following command:
apt-get install fail2banOnce the software package is installed, you need to modify its configuration file to customise it to your usage. Before you make any changes, we would recommend that you make a backup of the configuration file by entering the following command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backupThen make your changes to the file:
nano /etc/fail2ban/jail.confOnce you have completed these changes, restart the service using this command:
/etc/init.d/fail2ban restartFor any additional queries and information concerning Fail2Ban, please refer to the official documentation{.external} for this tool.
The bare-metal distribution comes with a firewall service named iptables. By default, this service does not have any active rules. You can verify this by typing the following command:
iptables -LIt is recommended that you create and adjust rules on this firewall, to fit your needs. For more detailed information on the variety of manipulations that are possible, please refer to the relevant section in the official documentation of the distribution used.
OVH solutions include a firewall at the entrance to the infrastructure, called the Firewall Network. Its implementation and configuration allow protocols to be blocked before they even arrive on your server.
We also have a guide on configuring this firewall network{.external}.
The concept of security is not limited to protecting a system against attacks.
Securing your data is a key element, which is why OVH offers you three backup options:
- The
Snapshotoption, which allows you to create a manual snapshot of your virtual machine (available on VPS SSD, Cloud and Cloud RAM); - The
Automated Backupoption allows you to make a regular backup of your VPS (excluding additional disks) on a daily basis, exported and replicated three times before being available from your Control Panel (available only on Cloud VPS and Cloud RAM VPS); - The
Backup Storageoption that allows you to manually deposit and recover files on a dedicated disk space. The available file transfer protocols are FTP, NFS and CIFS, to ensure compatibility with the file access methods of all operating systems and distributions used. This allows you to keep your data safe in case of service interruption (only available on Cloud VPS and Cloud RAM VPS).
You will find all information on our VPS backup solutions here: https://www.ovh.com.au/vps/backup-vps.xml.
Firewall Network Guide{.external}/
Join our user community on https://community.ovh.com/en/.