How to Secure and Harden Your VPS

AKcryptoGUY
7 min readOct 14, 2018

--

Part 5: Be Your Own VPS

by AKcryptoGUY

Introduction

If you followed along with the previous guides in this series, then you have a fully functional Hyper-V server and a management PC to control it. The next step is to create a hardened virtual machine template that you can use to quickly deploy additional VMs without having to configure each of them individually. Using the methods described in these Guides, you will be able to use one physical computer to host several virtual Windows or Linux computers which could each run wallets or masternodes without the need for you to purchase virtual hosting or VPS from a third party.

Before You Begin

  • Download and install Hyper-V Server 2016 as described in the first part of this series
  • Complete the initial server configuration described in the second part of this series
  • Set up a Windows 10 computer and remotely configure the Hyper-V Server like in the third part of this series
  • Download Ubuntu Server 16.04 LTS and save the ISO in the “Install ISOs” folder on the Hyper-V server

Instructions

Once you have completed all of the steps listed in the “Before You Begin” section, you are ready to harden and secure your first virtual machine. Let’s begin.

1. Log into your management computer and open Hyper-V Manager

2. Create a new VM using the following settings

  • Generation 2
  • 2048 MB RAM
  • Add a virtual switch
  • Install an operating system from your Ubunter Server ISO
  • Enter VM Settings and disable Secure Boot (or choose Microsoft UEFI template)
  • Add additional virtual processors
  • Enable Production checkpoints
  • Enable Guest services

3. Install Ubuntu Server on the VM, then shut it down

4. Create a Checkpoint after installation

5. Start the VM and log into terminal

6. Obtain your internal IP address for use with SSH on your LAN

7. Use Putty to SSH into the VM

8. Update the server

sudo apt-get update -y && sudo apt-get upgrade -y

9. Adjust timeout for “sudo” password prompts (for convenience, not security)

sudo visudo

10. Secure SSH access and require RSA key-pair authentication

mkdir ~/.ssh && touch ~/.ssh/authorized_keys
sudo chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
sudo nano ~/.ssh/authorized_keys
  • Generate a 4096 bit public and private RSA key using PuttyGen
  • Paste the public key into ~/.ssh/authorized_keys and save
  • Save private key on management computer
  • Secure SSH by editing configuration
sudo nano /etc/ssh/sshd_config
  • Enter a custom SSH port
  • Disable root login by changing line to “PermitRootLogin no”
  • Uncomment line to read “PasswordAuthentication no”
  • Save file

11. Create a login banner

sudo nano /etc/pam.d/sshd
  • Comment out “session optional pam_motd.so motd=/run/motd.dynamic”
  • Comment out “session optional pam_motd.so motd noupdate” and save
sudo nano /etc/ssh/sshd_config
  • Uncomment line “Banner /etc/issue.net” and save changes
  • Create a suitable login banner that forbids unauthorized access and save
sudo nano /etc/issue.net
  • Restart SSHD
sudo systemctl restart sshd

12. Reconnect to SSH to confirm all settings are correct

  • Update Putty configuration to include custom port and Private RSA key

13. Install and configure the firewall

sudo apt-get install ufwsudo ufw default allow outgoingsudo ufw default deny incomingsudo ufw allow 40122  (use the custom SSH port you selected)sudo ufw statussudo ufw enable

14. Install Fail2ban

sudo apt-get install fail2ban

15. Set time zone and NTP

  • Install dbus
sudo apt-get install dbus
  • Locate your timezone in the list of timezones
timedatectl list-timezones
  • Set your timezone
set timedatectl set-timezone DESIRED_TIMEZONE
  • Install NTP
sudo apt-get install ntp

16. Secure shared memory

sudo nano /etc/fstab
  • Add the following line at the end of the file
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

17. Modify /etc/host.conf to prevent IP spoofing

sudo nano /etc/host.conf

Change the last 2 lines in the file to look like this:

order bind,hostsnospoof on

18. Modify /etc/sysctl.conf to harden the networking layer

sudo nano /etc/sysctl.conf
  • Add the following lines to the file:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

19. Edit /etc/ufw/before.rules to enable DDoS protection

sudo nano /etc/ufw/before.rules
  • Add the following lines after *filter line
:ufw-http - [0:0]
:ufw-http-logdrop - [0:0]
  • Add the following lines to the end of the file, before the word COMMIT
### Start HTTP ###

# Enter rule
-A ufw-before-input -p tcp --dport 80 -j ufw-http
-A ufw-before-input -p tcp --dport 443 -j ufw-http

# Limit connections per Class C
-A ufw-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-http-logdrop

# Limit connections per IP
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw-http-logdrop

# Limit packets per IP
-A ufw-http -m recent --name pack_per_ip --set
-A ufw-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 20 -j ufw-http-logdrop

# Finally accept
-A ufw-http -j ACCEPT

# Log
-A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] "
-A ufw-http-logdrop -j DROP

### End HTTP ###

# Prevent ping flood
-A INPUT -p icmp -m limit --limit 6/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -j DROP

20. Shut down the server

sudo shutdown now

21. Create a new checkpoint of the template as it is

22. Export the VM as is to be able to easily duplicate it in the future

Tips and Troubleshooting

  • If you have a problem when starting or enabling the firewall, check that you don’t have any blank spaces or lines before the COMMIT line at the end of your /etc/ufw/before.rules
  • If you see “Load Failed” on the Security tab of the settings for your VM, it may because your Hyper-V server does not have a TPM. In that case, disable Secure Boot by entering the following command into PowerShell on the server: Set-VMFirmware “yourvmname” -EnableSecureBoot off
  • Tip: Assign a static IP address or reserve an IP address on your router to enable consistent SSH access
  • Tip: To prevent external intrusion, only forward your SSH port if you require access to the server from outside your LAN
  • Tip: If you are confident that you have configured the template the way you want it, delete both checkpoints and let the VHD merge changes before you export your template; this makes it easier to import and duplicate multiple copies of the same VM

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Watch this video on YouTube: https://youtu.be/MQsQ_NE4w2U

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Stay in Touch with us:

Twitter → https://twitter.com/AKcryptoGUY

Medium → https://medium.com/@AKcryptoGUY

Facebook → https://www.facebook.com/AKcryptoGUY

Instagram → https://www.instagram.com/akcryptoguy

YouTube → https://www.youtube.com/channel/UCIFu9OZWOtfxokGdFY6aTog

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Links

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Affiliate Links:

Windscribe VPN: Your online privacy is under attack:

https://windscribe.com/?affid=myxd75vi

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

If I helped you save, please consider helping me earn.

BTC: 3LbUJVW9WmXPgFStTXSLTBwjpnbVTtt8Ja

TRON: TLsday62mhM67Sv5G5Z5Ju66TezJuVFbiw

DGB: DUJ8W8QpmVex87posFPoDYGg5FrYCoMLGq

DOGE: DH9Sj3DQNVBaxb6kZBXc6X2MPQjbv7H6oy

ETH: 0xF2c21D9aCa782560169e23Cc83Ed195F9A3eA761

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Credits:

--

--

No responses yet