Most active commenters

    How to secure your new VPS: a step-by-step guide

    (www.kkyri.com)
    37 points todsacerdoti | 18 comments | 22 Oct 24 00:52 UTC | HN request time: 1.271s | source | bottom
    1. yjftsjthsd-h ◴[22 Oct 24 01:46 UTC] No.41910374[source]
    You should always verify that SSH password auth is actually off; run

      ssh -v myserver : 2>&1 | grep continue
    and ensure that it only gives "publickey"!

    (A surprising number of VPSs will re-enable passwords in a .d config file. And really, even if you've checked for that, the extra 10 seconds to make sure is worth it.)

    replies(1): >>41910475 #
    2. _def ◴[22 Oct 24 02:00 UTC] No.41910445[source]
    opinions on the suggested fail2ban and ufw?
    replies(3): >>41910483 #>>41910485 #>>41910516 #
    3. remram ◴[22 Oct 24 02:06 UTC] No.41910475[source]
    Good advice. Another option:

      ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no myserver
    4. remram ◴[22 Oct 24 02:07 UTC] No.41910483[source]
    ufw yes, fail2ban doesn't necessarily do much for you if you have disabled password authentication.
    5. berbec ◴[22 Oct 24 02:07 UTC] No.41910485[source]
    fail2ban is a critical piece of security software, as is some firewall. for those new to linux, you might as well use the one that is super-easy to install.
    replies(1): >>41910494 #
    6. tptacek ◴[22 Oct 24 02:08 UTC] No.41910490[source]
    This guide walks you through disabling password authentication for SSH, then walks you through setting up fail2ban.
    7. tptacek ◴[22 Oct 24 02:09 UTC] No.41910494{3}[source]
    The opposite is true about fail2ban: it's cargo-cult security, and people shouldn't be running it. It never made any sense, but it especially makes no sense if you're going to (sensibly) disable password authentication.
    8. gjsman-1000 ◴[22 Oct 24 02:10 UTC] No.41910497[source]
    Always remember though (and, before anyone says this is obvious, I once shocked an HN reader who hadn’t thought this through):

    All of your VPS security is meaningless compared to your VPS provider’s security, the security imposed on the employees of the VPS provider, the security of your VPS account password, and their susceptibility to faked subpoenas and faked emergency data requests.

    replies(1): >>41910536 #
    9. fny ◴[22 Oct 24 02:11 UTC] No.41910502[source]
    It’s insane to me that in 2024 it still takes this much back and forth to set up a server.

    I even recently tried automating this but quickly realized I was falling into an XKCD trap because the process is so damn painful.

    replies(1): >>41910581 #
    10. kelnos ◴[22 Oct 24 02:12 UTC] No.41910509[source]
    I would have appreciated the rationale behind setting 'UsePAM' to 'no'. I assume it's because, with password auth disabled, it's not necessary, and better to disable something that you don't need that would otherwise add to the attack surface?
    11. akerl_ ◴[22 Oct 24 02:14 UTC] No.41910516[source]
    Honestly, for somebody running a personal server, ufw/iptables/etc tend to not be relevant for any direct security. Basically nobody is doing anything for outbound rules other than ACCEPT, and for inbound... people can only connect to services you're running on your public interface. So for most people, they'd just be setting up ufw/iptables/etc to allow traffic to the set of services they're running (ssh, a web server, etc) anyways.

    That said, I do think there's some value in understanding what your server is running and what it's exposing to the network, and setting up firewall rules is one of many ways to build familiarity with that.

    fail2ban is just junk, and shouldn't be running on any modern system.

    12. ◴[22 Oct 24 02:15 UTC] No.41910526[source]
    13. Lord_Zero ◴[22 Oct 24 02:16 UTC] No.41910534[source]
    I recommend installing Tailscale, and using a firewall outside of the VPS like how Linode or EC2 does it. Don't even allow port 22 at all... Tailscale let's you access all your stuff without needing to expose ssh ports.
    14. akerl_ ◴[22 Oct 24 02:16 UTC] No.41910536[source]
    Far more VPSs are compromised through local VM attacks than provider attacks.

    This is a bit like saying "When you're temping your chicken, always remember that your grocery store could be putting arsenic in it at the store". Yea, that's true. But the average consumer gets sick far more often from mistakes in the kitchen than mistakes in the grocery store.

    replies(1): >>41910545 #
    15. gjsman-1000 ◴[22 Oct 24 02:17 UTC] No.41910545{3}[source]
    The person in question on HN was planning to self-host email. Sure, if you don’t want Google or Microsoft in particular reading it, I get it. But if you think nobody can read it now, that’s a major (potentially life threatening) mistake. Gmail might actually be safer in many circumstances.
    replies(1): >>41910790 #
    16. __mattya ◴[22 Oct 24 02:23 UTC] No.41910581[source]
    Most cloud providers will accept a cloud init cloud config file. Sometimes they call it a “script” but they still accept the Yaml file if it has the `#cloud-config`.

    There are modules for setting up ssh, adding users, installing packages, etc.

    https://cloudinit.readthedocs.io/en/latest/index.html

    17. aspenmayer ◴[22 Oct 24 02:59 UTC] No.41910790{4}[source]
    If you don’t want Google or Microsoft reading your email, Proton would be better still than Gmail, wouldn’t it?