What are the general things/setup that you do after getting a VPS/Dedicated server?

2

Comments

  • @thedp said:

    @isunbejo said:
    Change ssh port and set up IP allow SSH tcp wrapper on /etc/hosts.allow then /etc/hosts.deny for ssh deny all

    I do this too.

    On top of that, iptables ACCEPT/DROP :joy:

    I do not need statefull connection tracking firewall (performance reasons)

    If you use iptbales, just add a custom iptables rule in RAW table and mark everything as non tracking.

  • Install zerotier, add new vps to my zerotier network, close all firewall ports except from zerotier.

    The all seeing eye sees everything...

  • DanielDaniel OG
    edited December 2019

    I do something similar to @ouvoun's script, except via Ansible. Just have to manually configure SSH keys and install Python3 and then Ansible handles the rest. The Debian installer already asks to create a new user, so I guess that part of your script wouldn't be necessary if you install from ISO.

    Maybe I should post my Ansible playbooks somewhere.

  • @skorous said:

    @teamacc said: I like to think NOT getting hit with brute-force attempts lightens the load on the server, by not having to deal with that pesky aspect.

    Heh heh heh ... that I won't argue with but that's not really a security gain unless you're arguing it makes auditing the logs easier. I prefer iptables rate-limiting for that.

    My 2 cents: If you secure your server correctly, you won't have to be afraid for those brute-force attempts. By changing the port you're merely obscuring that there is an SSH daemon running on your box. So it really is security by obscurity.

    I don't change the default SSH-port because I work behind firewalls dat won't let me make an SSH-connection to a non-privileged port. I also think this is generally not a good idea.

    I disable ssh root login after employing a new VM or dedi, adding a user with sudo-rights and only allowing access with keys. I setup Fail2Ban and iptables rate-limiting. Just to be sure I limit access to port 22 from a number of subnets that are well known for brute-forcing SSH (Online.net, China Telecom). That last part is security by obscurity as well of course...

    On some boxes I don't want this hassle and I just limit access to SSH from my home ip-address, my work ip-address, the CGNAT subnets from my mobile provider and my other boxes.

    No server I managed has ever been compromised, nor am I experiencing high load from those SSH bruteforcers.

    Thanked by (2)uptime skorous
  • evnixevnix OG
    edited December 2019

    @terrorgen said: Install zerotier, add new vps to my zerotier network, close all firewall ports except from zerotier.

    I am curious, is this different from an OpenVPN jump box setup?

    My Personal Blog | Currently Building LoadMyCode

  • @evnix said:

    @terrorgen said: Install zerotier, add new vps to my zerotier network, close all firewall ports except from zerotier.

    I am curious, is this different from an OpenVPN jump box setup?

    They might be similar. But zerotier is way easier to configure than openvpn though.

    Thanked by (1)evnix

    The all seeing eye sees everything...

  • @FAT32 said: I am low key afraid of limiting access of SSH for certain IP only because I keep thinking what if suddenly all my whitelisted IP are no longer usable? Given that no VNC, KVM or IPMI is available, that will cause more trouble and it compromised availability.

    That's why IMO is crucial to have a sudo user with complex username/pasword combilation that can be used in those cases.

    Thanked by (1)FAT32

    • If a program actually fits in memory and has enough disk space, it is guaranteed to crash.
    • If such a program has not crashed yet, it is waiting for a critical moment before it crashes.

  • I usually perform a set of action required to score 80+ on lynis. While the score, per se, is mostly pointless, some of the suggestions aren't pointless to me. These involve:

    • automating install of security updates on a pre-defined day of the week (usually on Sunday), followed by a restart of the involved processes. I usually always prefer to perform updates manually, so the cron job isn't required. Yet, if I'm hit by a bus, my idling boxes will take care of themselves
    • remove compilers if present and not needed
    • disable not needed drivers (firewire, usb-storage, et al.)
    • harden sysctl key pairs (the list is long)
    • install at least a tool to record and collect system activities
    • change banners with a German one to scary out skids
    • properly configure hostname and hosts file

    And more:

    • check how much of a glory hole I've just bought
    • configure postfix to send me warnings
    • entirely disable the root account (I usually just keep a sudoer/%wheel user for administrative tasks)
    • deploy hardened ip{,6}tables and ipsets services

    I dare to harden OpenSSH too. Changing port is convenient even if it doesn't harden, a flooded log is a potentially unhelpful log (even more w/o fail2ban). I have no mandatory requirements about picking port 22 and leaving it wide open. I pick another privileged port and on top of it I restrict it to a handful of static IPs (Wireguard VPNs + office), I have no reasons to leave it open to the wide internet. If all my VPNs and my workplace gets nuked from orbit (or, more likely, if there's some exceedingly unexpected OpenSSH configuration error) there's an emergency rate-limited and filtered dropbear instance listening on an IPv6-only privileged port. Range scans are invariably caught with an ip{,6}tables "recent" module, the most obnoxious and notorious offenders are dealt with ipsets, using (highly conservative) blocklists too.

    Then, I power it off.

  • I normally do this as well:

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • NeoonNeoon OGSenpai

    @FAT32 said:
    I am low key afraid of limiting access of SSH for certain IP only because I keep thinking what if suddenly all my whitelisted IP are no longer usable? Given that no VNC, KVM or IPMI is available, that will cause more trouble and it compromised availability.

    Well, you limit it, to multiple gateways, not just one.

    Thanked by (1)FAT32
  • I have no firewall, no SSH port change, no fail2ban. I just disabled password login. Why am I not hacked?
    Or, am I already hacked but I don't know?

  • That script is just missing a few steps to cover all I need:

    1. create a new user (add to wheel/sudo group)
    2. set ssh keys for that user
    3. change ssh port
    4. disable root login on ssh
    5. disable password auth on ssh
    6. close all unused ports on firewall
    7. set fail2ban to ban unauthorised login attempts
    8. install hetrixtools and set alerts to monitor the server

    I may add some additional jails on fail2ban depending on what services are running on the server.

  • Bench script

    Thanked by (2)mfs yoursunny

    Action and Reaction in history

  • @poisson said:
    I normally do this as well:

    Probably tie a yellow wrist ribbon somewhere?

    Thanked by (2)poisson Janevski

    The all seeing eye sees everything...

  • edited December 2019

    @yoursunny said:
    I have no firewall, no SSH port change, no fail2ban. I just disabled password login. Why am I not hacked?
    Or, am I already hacked but I don't know?

    You're fine mate, as long as you're only idling the ssh daemon on a public port, and no other.

    Most of my boxen are double duty and rsync over default ssh port is too important to give up. I use 3 trylimit fail2ban and a multiday bantime in order to keep my logs legible.

  • @vimalware said:

    @yoursunny said:
    I have no firewall, no SSH port change, no fail2ban. I just disabled password login. Why am I not hacked?
    Or, am I already hacked but I don't know?

    You're fine mate, as long as you're only idling the ssh daemon on a public port, and no other.

    I also have nginx on 80 and 443.
    I moved Asterisk to 15060. Someone keeps trying different SIP passwords, wanting to make long distance calls. My passwords are randomly generated so they can't succeed, and I only have $1 long distance credit. I changed port because Asterisk log file fills the disk every 3 days and then the server crashes.

    Most of my boxen are double duty and rsync over default ssh port is too important to give up. I use 3 trylimit fail2ban and a multiday bantime in order to keep my logs legible.

    I have virtual machines (VirtualBox in university servers, not VPS) on alternate ports. I use $HOME/.ssh/config to set the ports. rsync and everything else work fine.

  • @mfs said:

    I see what you did there ...

    ACHTUNG!
    ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
    DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
    IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
    ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.

    Thanked by (1)vimalware

    HS4LIFE (+ (* 3 4) (* 5 6))

  • @evnix said:

    @terrorgen said: Install zerotier, add new vps to my zerotier network, close all firewall ports except from zerotier.

    I am curious, is this different from an OpenVPN jump box setup?

    Zerotier is a mesh VPN, so it's more like a private P2P network. Traffic doesn't have to go through a central server. It's also a hosted service, so you don't have to keep your own box working.

    Tinc and Wireguard are similar.

    I keep meaning to get a wireguard network setup, and see if I can get rid of the IPSec/OpenVPN monstrosity at work.

  • @uptime said:

    @mfs said:

    I see what you did there ...

    ACHTUNG!
    ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
    DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
    IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
    ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.

    Is this real German or fake German?

    The all seeing eye sees everything...

  • @terrorgen said:

    @uptime said:

    @mfs said:

    I see what you did there ...

    ACHTUNG!
    ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
    DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
    IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
    ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.

    Is this real German or fake German?

    hörbar lachen :smiley:

    sicher, das ist kein Hochdeutsch!

    HS4LIFE (+ (* 3 4) (* 5 6))

  • I sit down and eat.
    The eating gives power.
    Power makes you strong!
    Stong is force!
    Force is acceleration times mass!
    Mass is energy divided by the speed of light, squared.
    If the acceleration is at the speed of light, then force equals energy!
    The more one eats, the more omnipotent and conglomerated becomes.

    Thanked by (2)uptime yoursunny
  • @terrorgen said:

    @uptime said:

    @mfs said:

    I see what you did there ...

    ACHTUNG!
    ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
    DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
    IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
    ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.

    Is this real German or fake German?

    It’s fake.

    I have this banner (which is the opposite) ?

    Thanked by (2)uptime terrorgen
  • @debaser said:

    @terrorgen said:

    @uptime said:

    @mfs said:

    I see what you did there ...

    ACHTUNG!
    ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
    DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
    IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
    ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.

    Is this real German or fake German?

    It’s fake.

    I have this banner (which is the opposite) ?

    Thanks. I know it is off but not sure.

    The all seeing eye sees everything...

  • From the wiki about blinkenlights..

    The original IBM PC could have a diagnostics card plugged into it that used LEDs to show what part of the memory it was using..

    Probably still got one of those (a 3rd party one) stuffed in a drawer someplace. :-o

    Thanked by (1)uptime

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • All I do is

    apt update && apt upgrade -y
    apt install fail2ban

    That's it ?

  • cybertechcybertech OGBenchmark King

    Disable network, and request for data center rack access everytime I need to SSSH in the vps.

    Thanked by (2)uptime WSS

    I bench YABS 24/7/365 unless it's a leap year.

  • @uptime said:

    @terrorgen said:

    @uptime said:

    @mfs said:

    I see what you did there ...

    ACHTUNG!
    ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
    DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
    IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
    ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.

    Is this real German or fake German?

    hörbar lachen :smiley:

    sicher, das ist kein Hochdeutsch!

    Sprache Sie Deutsch?

    Thanked by (1)uptime

    The all seeing eye sees everything...

  • @terrorgen said:
    Sprache Sie Deutsch?

    Nur ein kleiner Schnurrbart

    Thanked by (1)Amitz

    HS4LIFE (+ (* 3 4) (* 5 6))

  • havochavoc OGContent Writer

    Right so uptime speaks German. The rest are well versed in Hollywood's idea of evil German villain

    Thanked by (1)uptime
Sign In or Register to comment.