Four ways to secure a VPS

1. Using a non-root user

# add new user
adduser phong
new password:...

# check group info user
id phong

# add user phong to sudo group
usermod -aG sudo phong

# switch to the user account name "phong"
su - phong

# logout accout
exit 

- Configure SSH for the new user

# create ssh dirctory
mkdir ~/.ssh

# chnage the pemissions of ~/.ssh to 'rwx------',
# mean owner has read, write, excute, orther users have no permissions at all
chmod 700 ~/.ssh

# authorized_keys is used to store public keys that are authorized
# to access the current uesr's account

nano ~/.ssh/authorized_keys

 

# copy the content id_rsa.pub to clipboard
.ssh pbcopy < id_rsa.pub 

# past content to ~/.ssh/authorized_keys and save
Ctrl S > Ctrl X 

# change the permissions of authorized_keys file to 'rw----'
# only onwner has read, write permissions

chmod 600 ~/.ssh/authorized_keys

- SSH to vps with new user

ssh phong@vps-ip

2. Disable password and root login

# open the sshd_config

sudo nano /etc/ssh/sshd_config 

 

# change content

PermitRootLogin yes => no 

PasswordAuthentication  yes => no

 

# reload sshd

sudo systemctl reload sshd 

 

# now we can not login as root  

3. Block incoming traffic on non-public ports

sudo ufw allow ssh

sudo ufw allow http

sudo ufw allow https 

sudo ufw enable 

 

# confirm ufw

sudo ufw status 

4. Enable automatic security updates

# open sshd_config
# unattended-upgrades package is responsibile for automaticlly
# downloading and installing security opdates for the system

# --priority=low mean other packages and processes given higher priority 
# when system resources are limited

sudo dpkg-reconfigure --priority=low unattended-upgrades

choose yes

 

# displays the current config value for APT::Periodic::Unattended-Upgrade
# which is used to control the behavior for the unattended-upgrade

apt-config dump APT::Periodic::Unattended-Upgrade 

Thank you.