VPS Hardening Checklist:

Overview

0. Intention
1. Root
2. Update
3. New User
4. SSH
5. Fail2Ban
6. IP Tables
7. Services
8. Closing Thoughs

0) Introduction & Intention

This write-up is intended to be a generic checklist for hardening a linux VPS. For a better understanding of some of the tools, I'll add links to some more detailed walkthroughs. I'm using a Debian box hosted by Digital Ocean. While there are many other great hosts out there, this is simply my preferred platform and should provide some fairly solid guidelines for most distributions.

Caveat: This is a general outline for good security practices but if you're running from MI6, this will not be enough for you. Every environment is different, and perfect security doesn't exist. To really harden up your system, you'll need to tailor your settings to your environment, individual needs, threat model, etc.

1) Configure Root

Set a strong password using the passwd command:

 root@haxbox ~ # passwd 

You can go here for my guidelines on choosing a strong password

2) Update

Ensure your packages and OS are fully up to date

	root@haxbox ~ # apt-get update
	root@haxbox ~ # apt-get dist-upgrade
	root@haxbox ~ # apt-get upgrade
							

3) New User

It's never a good idea to run as root, so the next step is to create a non-root user and assign it sudo priveleges for when root authority is needed.

First, get sudo installed if it isn't already

 root@haxbox ~ # apt-get install sudo 

Create the user and assign it a strong password

	root@haxbox ~ # adduser haxor
	root@haxbox ~ # passwd haxor
							

And allow it to sudo

 root@haxbox ~ # usermod -aG sudo haxor 

4) SSH

This is where you start to dig into the fun stuff...

First you'll need to generate an SSH key-pair on your *local* box.

 user@homebox ~ $ ssh-keygen -t rsa -b 4096 -C "optional comment goes here" 

As always, input a strong password when prompted

Before you continue, you'll need to verify the correct permissions are set on your .ssh folder/files

 
	user@homebox ~ $ chmod 700 ~/.ssh
	user@homebox ~ $ chmod 600 ~/.ssh/authorized_keys
							

Now upload your *public* key to your box. I prefer to use ssh-copy-id, although there are multiple methods to accomplish this.

 user@homebox ~ $ ssh-copy-id haxor@haxboxipaddress 

At this point, i STRONGLY recommend that you ssh into your box with your new user account, to ensure that your account and key are working properly.

 user@homebox ~ $ ssh haxor@haxboxipaddress 

Lock down your ssh server configurations by adding/modifying the following lines.

 haxor@haxbox ~ $ vi /etc/ssh/sshd_config 

	 Port 76 (Optional.  Use any non-default port)
	 AddressFamily inet
	 PermitRootLogin no
	 StrictModes yes
	 PubkeyAuthentication yes
	 PasswordAuthentication no
	 PermitEmptyPasswords no
	 ChallengeResponseAuthentication no
	 UsePAM no
	 AllowUsers haxor (or AllowGroup sshusers)
	 Protocol 2
							

Restart the ssh service

 haxor@haxbox ~ $ sudo service sshd restart 

You can go here for a deeper explanation of how these settings work and some alternative configurations

5) Fail2Ban

Install Fail2Ban and make create the local configuration files:

    sudo apt-get install fail2ban						
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    cp /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.local
							 

Edit the following settings in etc/fail2ban/jail.local

    [DEFAULT]
    bantime = 600
    findtime = 600
    maxentry = 5
    ....
    [sshd]
    port    = ssh
    logpath = %(sshd_log)s
    backend = %(sshd_backend)s 
							

Make sure the following text is /etc/fail2ban/jail.d/defaults-debian.local

    [sshd]
    enabled = true
							

Restart the fail2ban service

 haxor@haxbox ~ $ sudo service fail2ban restart 

You can go here for a deeper explanation of how these settings work and some alternative configurations

6) IP Tables

Ensure IP Tables is installed, and configure it to allow SSH and block everything else:

    sudo apt-get install iptables						
    sudo iptables -F
    sudo iptables -X
    sudo iptables -P INPUT ACCEPT
    sudo iptables -P FORWARD ACCEPT
    sudo iptables -P OUTPUT ACCEPT
							

Next allow SSH traffic to the SSH port:

    sudo iptables -A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
    sudo iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
							

Allow any newoutbound connections established from the VPS, and allow any inbound connections that are related to existing outbound connections:

    sudo iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
							

Now fix those default policies to drop any traffic that isn't specifically allowed:

    sudo iptables -P INPUT DROP
    sudo iptables -p FORWARD DROP
    sudo iptables -P OUTPUT DROP
							

Save those rules and make them persistent. Select 'Yes' to save the current rules, when prompted:

    sudo apt install iptables-persistent
							

You can go here for a deeper explanation of how these settings work and some alternative configurations

7) Services

Coming soon...Disable any unnecessary services

8) Closing Thoughts

I'd like to re-iterate that this is simply intended to be a checklist for some generic hardening. Do you think I missed something? Did a step not work? Could this simply be the most bestest article you've ever seen on the interwebz? Feel free to stop by the channel and let us know what you think. You can send your flames or flattery for this article to PrettyKittie via IRC or email.

Recommended Reading

• OpenSSH Home
• Fail2Ban Home