How to Secure and Harden Your VPS
Part 5: Be Your Own VPS
by AKcryptoGUY
Introduction
If you followed along with the previous guides in this series, then you have a fully functional Hyper-V server and a management PC to control it. The next step is to create a hardened virtual machine template that you can use to quickly deploy additional VMs without having to configure each of them individually. Using the methods described in these Guides, you will be able to use one physical computer to host several virtual Windows or Linux computers which could each run wallets or masternodes without the need for you to purchase virtual hosting or VPS from a third party.
Before You Begin
- Download and install Hyper-V Server 2016 as described in the first part of this series
- Complete the initial server configuration described in the second part of this series
- Set up a Windows 10 computer and remotely configure the Hyper-V Server like in the third part of this series
- Download Ubuntu Server 16.04 LTS and save the ISO in the “Install ISOs” folder on the Hyper-V server
Instructions
Once you have completed all of the steps listed in the “Before You Begin” section, you are ready to harden and secure your first virtual machine. Let’s begin.
1. Log into your management computer and open Hyper-V Manager
2. Create a new VM using the following settings
- Generation 2
- 2048 MB RAM
- Add a virtual switch
- Install an operating system from your Ubunter Server ISO
- Enter VM Settings and disable Secure Boot (or choose Microsoft UEFI template)
- Add additional virtual processors
- Enable Production checkpoints
- Enable Guest services
3. Install Ubuntu Server on the VM, then shut it down
4. Create a Checkpoint after installation
5. Start the VM and log into terminal
6. Obtain your internal IP address for use with SSH on your LAN
7. Use Putty to SSH into the VM
8. Update the server
sudo apt-get update -y && sudo apt-get upgrade -y
9. Adjust timeout for “sudo” password prompts (for convenience, not security)
sudo visudo
10. Secure SSH access and require RSA key-pair authentication
mkdir ~/.ssh && touch ~/.ssh/authorized_keys
sudo chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
sudo nano ~/.ssh/authorized_keys
- Generate a 4096 bit public and private RSA key using PuttyGen
- Paste the public key into ~/.ssh/authorized_keys and save
- Save private key on management computer
- Secure SSH by editing configuration
sudo nano /etc/ssh/sshd_config
- Enter a custom SSH port
- Disable root login by changing line to “PermitRootLogin no”
- Uncomment line to read “PasswordAuthentication no”
- Save file
11. Create a login banner
sudo nano /etc/pam.d/sshd
- Comment out “session optional pam_motd.so motd=/run/motd.dynamic”
- Comment out “session optional pam_motd.so motd noupdate” and save
sudo nano /etc/ssh/sshd_config
- Uncomment line “Banner /etc/issue.net” and save changes
- Create a suitable login banner that forbids unauthorized access and save
sudo nano /etc/issue.net
- Restart SSHD
sudo systemctl restart sshd
12. Reconnect to SSH to confirm all settings are correct
- Update Putty configuration to include custom port and Private RSA key
13. Install and configure the firewall
sudo apt-get install ufwsudo ufw default allow outgoingsudo ufw default deny incomingsudo ufw allow 40122 (use the custom SSH port you selected)sudo ufw statussudo ufw enable
14. Install Fail2ban
sudo apt-get install fail2ban
15. Set time zone and NTP
- Install dbus
sudo apt-get install dbus
- Locate your timezone in the list of timezones
timedatectl list-timezones
- Set your timezone
set timedatectl set-timezone DESIRED_TIMEZONE
- Install NTP
sudo apt-get install ntp
16. Secure shared memory
sudo nano /etc/fstab
- Add the following line at the end of the file
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
17. Modify /etc/host.conf to prevent IP spoofing
sudo nano /etc/host.conf
Change the last 2 lines in the file to look like this:
order bind,hostsnospoof on
18. Modify /etc/sysctl.conf to harden the networking layer
sudo nano /etc/sysctl.conf
- Add the following lines to the file:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
19. Edit /etc/ufw/before.rules to enable DDoS protection
sudo nano /etc/ufw/before.rules
- Add the following lines after *filter line
:ufw-http - [0:0]
:ufw-http-logdrop - [0:0]
- Add the following lines to the end of the file, before the word COMMIT
### Start HTTP ###
# Enter rule
-A ufw-before-input -p tcp --dport 80 -j ufw-http
-A ufw-before-input -p tcp --dport 443 -j ufw-http
# Limit connections per Class C
-A ufw-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-http-logdrop
# Limit connections per IP
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw-http-logdrop
# Limit packets per IP
-A ufw-http -m recent --name pack_per_ip --set
-A ufw-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 20 -j ufw-http-logdrop
# Finally accept
-A ufw-http -j ACCEPT
# Log
-A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] "
-A ufw-http-logdrop -j DROP
### End HTTP ###
# Prevent ping flood
-A INPUT -p icmp -m limit --limit 6/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -j DROP
20. Shut down the server
sudo shutdown now
21. Create a new checkpoint of the template as it is
22. Export the VM as is to be able to easily duplicate it in the future
Tips and Troubleshooting
- If you have a problem when starting or enabling the firewall, check that you don’t have any blank spaces or lines before the COMMIT line at the end of your /etc/ufw/before.rules
- If you see “Load Failed” on the Security tab of the settings for your VM, it may because your Hyper-V server does not have a TPM. In that case, disable Secure Boot by entering the following command into PowerShell on the server: Set-VMFirmware “yourvmname” -EnableSecureBoot off
- Tip: Assign a static IP address or reserve an IP address on your router to enable consistent SSH access
- Tip: To prevent external intrusion, only forward your SSH port if you require access to the server from outside your LAN
- Tip: If you are confident that you have configured the template the way you want it, delete both checkpoints and let the VHD merge changes before you export your template; this makes it easier to import and duplicate multiple copies of the same VM
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Watch this video on YouTube: https://youtu.be/MQsQ_NE4w2U
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Stay in Touch with us:
Twitter → https://twitter.com/AKcryptoGUY
Medium → https://medium.com/@AKcryptoGUY
Facebook → https://www.facebook.com/AKcryptoGUY
Instagram → https://www.instagram.com/akcryptoguy
YouTube → https://www.youtube.com/channel/UCIFu9OZWOtfxokGdFY6aTog
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Links
- Download Ubuntu Server 16.04 LTS: http://releases.ubuntu.com/16.04.5/
- Download Putty and PuttyGen: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Affiliate Links:
Windscribe VPN: Your online privacy is under attack:
https://windscribe.com/?affid=myxd75vi
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
If I helped you save, please consider helping me earn.
BTC: 3LbUJVW9WmXPgFStTXSLTBwjpnbVTtt8Ja
TRON: TLsday62mhM67Sv5G5Z5Ju66TezJuVFbiw
DGB: DUJ8W8QpmVex87posFPoDYGg5FrYCoMLGq
DOGE: DH9Sj3DQNVBaxb6kZBXc6X2MPQjbv7H6oy
ETH: 0xF2c21D9aCa782560169e23Cc83Ed195F9A3eA761
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Credits:
- How to harden a new Linux VPS: https://www.heliumlabs.org/docs/how-to-harden-a-new-linux-vps
- Use Public Key Authentication with SSH: https://www.linode.com/docs/security/authentication/use-public-key-authentication-with-ssh/