←back to thread

How to secure your new VPS: a step-by-step guide

(www.kkyri.com)
47 points todsacerdoti | 7 comments | 22 Oct 24 00:52 UTC | HN request time: 0.206s | source | bottom
1. _def ◴[22 Oct 24 02:00 UTC] No.41910445[source]
opinions on the suggested fail2ban and ufw?
replies(3): >>41910483 #>>41910485 #>>41910516 #
2. remram ◴[22 Oct 24 02:07 UTC] No.41910483[source]
ufw yes, fail2ban doesn't necessarily do much for you if you have disabled password authentication.
3. berbec ◴[22 Oct 24 02:07 UTC] No.41910485[source]
fail2ban is a critical piece of security software, as is some firewall. for those new to linux, you might as well use the one that is super-easy to install.
replies(1): >>41910494 #
4. tptacek ◴[22 Oct 24 02:09 UTC] No.41910494[source]
The opposite is true about fail2ban: it's cargo-cult security, and people shouldn't be running it. It never made any sense, but it especially makes no sense if you're going to (sensibly) disable password authentication.
replies(1): >>41911141 #
5. akerl_ ◴[22 Oct 24 02:14 UTC] No.41910516[source]
Honestly, for somebody running a personal server, ufw/iptables/etc tend to not be relevant for any direct security. Basically nobody is doing anything for outbound rules other than ACCEPT, and for inbound... people can only connect to services you're running on your public interface. So for most people, they'd just be setting up ufw/iptables/etc to allow traffic to the set of services they're running (ssh, a web server, etc) anyways.

That said, I do think there's some value in understanding what your server is running and what it's exposing to the network, and setting up firewall rules is one of many ways to build familiarity with that.

fail2ban is just junk, and shouldn't be running on any modern system.

6. trog ◴[22 Oct 24 04:17 UTC] No.41911141{3}[source]
I agree for ssh - but I use it on a couple servers that have WordPress for the sole purpose of blocking IPs that engage in brute force attempts.

It has a real and dramatic impact on a few things - I got CPU warnings from one server a couple weeks back because I'd inadvertently broken logging and fail2ban stopped working and someone was doing a persistent brute force at high volume for 8 hours.

After I fixed fail2ban it dropped off immediately. I know some WordPress plugins will do this but I've not had much success with them compared to fail2ban so it's still my default for this purpose.

Are there better system-level approaches than fail2ban in this case? Or is your comment mostly directed towards those using it for ssh blocking?

replies(1): >>41911241 #
7. tptacek ◴[22 Oct 24 04:37 UTC] No.41911241{4}[source]
Just SSH.