VPS Security Settings: SSH, Firewall & Passwordless Login Setup Before Hosting

 

Introduction to SSH*

SSH (Secure Shell) is a protocol used to securely connect to remote computers or servers over a network. You can interact with it via ssh program which comes by default on Linux, macOS, and on Windows.

Connecting to VPS using SSH*

SSH can be used to connect to your VPS.

ssh root@62.72.59.218
// Here, root is username. That's what was given by hostinger to us.
// It might be different based on your VPS provider.
// Content after `@` is IP Address of VPS server.

image.png

When you first connect, it will ask you if you want to continue connecting. If you say yes, it will store the fingerprint of this server on your computer. When you connect to it next time, it will validate whether fingerprint is correct, if not then it won’t let you connect. If you can’t login at that time, then your server might have been compromised.

It will ask for your password, enter your password that you want.

Updating Package Repositories, and Upgrading Packages*

This is one of the first things that you should do when you buy a VPS is to update package repositories, and upgrade all packages.

Updating Package Lists

apt update

image.png

Our VPS uses Ubuntu, hence we are using APT package manager. For any debian based distributions, you are going to use APT. If your VPS uses any other Linux distribution, you can search online for equivalent command. Like, Redhat based distributions like CentOS, Fedora, etc. uses dnf. So, you can just replace apt with dnf

apt update doesn’t upgrade your packages, but it updates the package list on a Debian-based Linux system (like Ubuntu). It fetches the latest metadata about available software packages from the repositories configured in your system.

Upgrading Packages

apt upgrade

image.png

This will upgrade all the upgrade-able packages in your system.

Check whether reboot is required, if yes then reboot.

cat /var/run/reboot-required

If /var/run/reboot-required file exists then it means that reboot is required.

You can go to your VPS dashboard, and reboot your VPS from there.

image.png

If you aren’t using hostinger, then you can search where this feature is in your dashboard. If you can’t find then, you can also use this command via SSH

reboot

Creating Non-Root User-

We are using root user right now. It can be extremely risky to always be logged in as root user, and it’s generally recommended to use non-root user. And use superuser permission only when we know it’s right, and needed. We will now create a new user which can’t use superuser commands by default, but can use it if needed. This step is not needed if your VPS already gives non root user.

adduser thapa

This will create a new user with the name thapa

image.png

This will ask for new password, make sure to give password separate from root user for security purposes.

We added a new user, but the new user can’t do super user commands even when needed. We will add the new user in sudo group which will allow them to use superuser commands.

usermod -aG sudo thapa

image.png

You can use groups username to check whether the new user is added in sudo group or not.

Let’s exit our SSH connection, and try logging in as new user.

ssh thapa@62.72.59.218

Now, if you try to run any superuser commands like apt install, apt update, apt upgrade, you will get error.

image.png

You have to prefix the superuser commands with sudo

image.png

We are installing a popular text editor which can be used from terminal named neovim just for testing.

Setting up SSH Keys for connecting to VPS-

We have been using passwords for authentication right now, but we are now going to switch to SSH keys, and will turn off connecting using password. This is because, anyone can bruteforce the password and connect to our VPS if we have weak password.

Creating a SSH Key

ssh-keygen -t ed25519 -C "your_email@example.com"

//  If you are using a legacy system that doesn't support the Ed25519 algorithm, use:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

image.png

Same command will work for macOS, and Linux too. Remember that, when it is asking for the name, you have to either write absolute path or relative path from your current directory to .ssh folder.

Typically, it stores in .ssh folder in your home directory of user for Windows, macOS, and Linux. (C:\Users\Username\.ssh for windows, ~/.ssh for macOS, and Linux)

image.png

On Windows, Turn on SSH Agent Service

Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
Start-Service ssh-agent

Open PowerShell as administrator, and paste those two commands. This will make sure to start ssh-agent service when you restart your PC everytime.

Alternatively, you can also turn it on through GUI

image.png

Search for Services on Windows Search, and search for “OpenSSH”. Then right click, and click Properties

image.png

Change it to Automatic if it’s already isn’t. And, also start it from there.

Adding newly created SSH key in ssh-agent

ssh-add .\\.ssh\\id_ed25519
# Note that I am already on my C:\\Users\\Username folder.
# If you had different name for your SSH key, then use that.

This step might not be needed most of the times if you chose default name, but if you chose different name for your SSH Key, you will have to do this.

Adding our SSH Public Key in VPS

  1. First, copy the content of your public key file of SSH Key. You have to copy content of .pub file, and not of file without extension as you shouldn’t share that.

    ~\\.ssh
    ❯ cat .\\id_ed25519.pub
    

    You can also open the file from notepad, and copy

  2. Now, connect to your VPS using the non root user. Hostinger also has option to add SSH keys but that only does for root, but we want to use non root user.

  3. After connecting, create a .ssh folder inside home directory if it doesn’t exist.

    mkdir .ssh
    cd .ssh # Cd into the .ssh folder that we created.
    
  4. Create a file named authorized_keys inside .ssh folder, and paste the content of your public key

    nano authorized_keys
    

    You can use Ctrl + O, to save the file in Nano, and Ctrl + X to exit.

  5. Now, just exit out of VPS, and try to login. You will see that it will automatically login to the VPS without asking for password. If you had setup password in your SSH Key then it will ask for that every time. If you don’t like that then you can use ssh-add command like we discussed previously.

Disable Password Login-

We are going to disable it so that hackers can’t bruteforce our server. Remember to setup SSH Key before disabling it, else you won’t be able to connect to your VPS. Also, if you have to connect on a new computer, you first have to generate ssh key in that computer, and paste the public key in VPS from your previous device where you connected using SSH Key.

  1. Edit the SSH config

    sudo nano /etc/ssh/sshd_config
    
  2. Scroll down the file and change PasswordAuthentication value to no from yes.

    image.png

    Now, save it using Ctrl + O, and exit using Ctrl + X

  3. On Hostinger VPS, I have a file named 50-cloud-init.conf inside /etc/ssh/sshd_config.d which has PasswordAuthentication set to turned on, so we will turn it off from that file as well.

    image.png

    Remember that it’s inside sshd_config.d folder not inside ssh_config.d

    Use Nano to update it too.

  4. After that, restart ssh service.

    sudo systemctl restart ssh
    # Service name might be sshd for CentOS
    
  5. Now, if you try to login to root user then you can see that it doesn’t allow because we haven’t really setup SSH keys on root user. You can set it through hostinger dashboard too, but we are going to disable root user entirely.

    image.png

Disable Root User login-

We want to disable root user entirely so that you are forced to use non root user.

  1. Edit sshd_config

    sudo nano /etc/ssh/sshd_config
    
  2. Search for PermitRootLogin, and set it’s value to no

    image.png

    Alternatively, you can change its value to without-password which will allow using SSH Keys but not through password. But, we have already turned off password authentication, it’s not needed.

Setting up Firewall*

A firewall is a network security system that monitors and controls incoming and outgoing network traffic. It acts as a barrier between your server and potential threats from the internet.

Many VPS providers, like AWS, DigitalOcean, and Linode, offer firewall options that can be set up through their dashboard. But, we are going to use UFW, or Uncomplicated Firewall through CLI, as it’s easy to use.

Install if you don’t have

Hostinger already comes with UFW by default, so we don’t have to do it.

sudo apt install ufw

Checking Status

sudo ufw status

image.png

It is currently inactive, so let’s enable it.

Disable all incoming request by default

sudo ufw default deny incoming

image.png

Enable all outgoing request by default

sudo ufw default allow outgoing

MOST IMPORTANT: Enable OpenSSH Connection

We know that OpenSSH uses port 22 by default. So, we have to enable this before exiting VPS. If we don’t follow this step, and enable the firewall, then we can no longer connect to our VPS using SSH connection.

sudo ufw allow OpenSSH

image.png

If you had changed your port number for SSH, then you have to do this:

sudo ufw allow <port-number>

See list of added configuration

sudo ufw show added

image.png

Enable Firewall

Make sure to enable OpenSSH connection before enabling the firewall, otherwise you won’t be able to SSH into the VPS.

sudo ufw enable

image.png

Enabling HTTP, and HTTPS connections

We are going to deploy a website/web app in future, so we are going to enable HTTP, and HTTPS connections.

sudo ufw allow http
# Alternatively: sudo ufw allow 80/tcp
sudo ufw allow https
# Alternative: sudo ufw allow 443/tcp

image.png

Subscribe - Thapa Technical