The use and operation and maintenance of VPS is a science. To ensure the security of VPS, it is necessary to start from the details. As a novice user, after purchasing a VPS, it is recommended to make the following settings to maximize the security of the VPS.
1. Change the root password and restrict root login#
1.1 Change the root password#
Use SSH tools (such as putty, Xshell, etc.) to enter the IP, port (22), account (root), and password provided by the VPS service provider to connect to the VPS. If the IP is blocked, you can contact the service provider to change to an available IP (usually can change the IP for free once, specific rules depend on the service provider).
After logging in to the VPS as root, enter the command: passwd, and enter the password you want to set (the entered password is not visible) to change the initial root password.
1.2 Change the VPS login username#
Change the VPS login username and restrict root account login. Connect to the VPS after elevating privileges with a regular account (operate with caution). The reason for this operation is that the root account is easy to be scanned and cracked, so changing the VPS login username increases the difficulty of being cracked. The specific steps are as follows:
1.2.1 Create a regular user under root: sudo adduser (replace with the username you want to set);
1.2.2 Add the new user ( filled in) to the sudo group to obtain administrator privileges: sudo usermod -aG sudo
1.2.3 Test whether the new username can log in successfully.
Method 1: Enter the command su - to switch to the new user environment, and enter the password (the root password just modified) at this time; after the new user logs in successfully, enter the sudo command to enter the new username administrator environment.
Method 2: After the root login is set in step 1.2.2, exit the SSH connection of the root account and log in again with the new username and root password.
1.3 Disable Root login#
After connecting to the VPS with the new username, enter the command: sudo nano /etc/ssh/sshd_config to enter the SSH configuration file for editing;
Search and modify the "PermitRootLogin" item to PermitRootLogin no, save the file and exit (ctrl+x to save and exit);
Restart the SSH service: sudo systemctl restart ssh. After restarting, the VPS cannot be logged in with the root username.
1.4 Prevent SSH brute force cracking#
1.4.1 Create a shell script
First, enter the following command to enter the script file that prohibits SSH brute force cracking,
vi /usr/local/bin/secure_ssh.sh
Then, write the following content in the script file:
#! /bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.txt
for i in `cat /usr/local/bin/black.txt`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ $NUM -gt 7 ];then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$IP:deny" >> /etc/hosts.deny
fi
fi
done
1.4.2 Create a cron job
First, enter crontab -e to enter the timed editing environment, and add the following content to the file (timed execution of the anti-SSH brute force cracking script, executed every 3 minutes):
*/3 * * * * sh /usr/local/bin/secure_ssh.sh
2. Perform system updates and additions/deletions#
2.1 Update the system, necessary dependencies, and remove unnecessary installation packages#
For Ubuntu/Debian, enter:
apt update -y && apt full-upgrade -y && apt autoremove -y && apt autoclean -y
For CentOS/RHEL, enter:
yum update -y && yum upgrade -y && yum autoremove -y && yum clean all
2.2 One-click garbage cleaning#
For Ubuntu/Debian, enter:
sudo apt autoremove --purge -y
sudo apt clean -y
sudo apt autoclean -y
sudo apt remove --purge $(dpkg -l | awk '/^rc/ {print $2}') -y
sudo journalctl --rotate
sudo journalctl --vacuum-time=1s
sudo journalctl --vacuum-size=50M
sudo apt remove --purge $(dpkg -l | awk '/^ii linux-(image|headers)- +/{print $2}' | grep -v $(uname -r | sed 's/-.*//') | xargs) -y
For CentOS, enter:
sudo yum autoremove
sudo yum clean all
sudo journalctl --rotate
sudo journalctl --vacuum-time=1s
sudo journalctl --vacuum-size=50M
sudo yum remove $(rpm -qa kernel | grep -v $(uname -r))
3. Disable Virtio-Balloon to prevent VPS service providers from overselling and affecting performance#
Virtio-Balloon can be understood as a plugin for dynamically allocating virtual memory of the VPS host, but after the VPS service provider oversells, the performance of other users' VPS will be affected. Therefore, we need to check if this plugin exists, and if so, it is recommended to disable it.
3.1 Query command:#
lsmod | grep virtio_balloon
My Racknerd is enabled, as shown in the figure:
Racknerd Virtio Ballon |
3.2 Disable methods:#
Method 1: Uninstall Virtio-Balloon#
For Racknerd, Virtio-Balloon is not built-in to the system and can be temporarily uninstalled with the command rmmod virtio_balloon; if you want it to take effect permanently, you need to modify the relevant system rules:
vi /etc/modprobe.d/blacklist.conf
Write the following content and save and exit:
blacklist virtio_balloon
Update system information:
update-initramfs -u
Method 1 refers to this article: Disable Virtio-Balloon.
Method 2: Disable Virtio-Balloon by modifying Grub configuration#
For VPS with built-in virtio_balloon, such as Cloudcone, lsmod | grep virtio_balloon cannot be found, but after entering rmmod virtio_balloon, virtio_balloon is displayed as built-in. At this time, virtio_balloon is not loaded as a module, but is directly compiled into the kernel. At this time, you need to modify the Grub configuration.
-
Enter the Grub configuration file:
sudo nano /etc/default/grub
-
Add the command line: GRUB_CMDLINE_LINUX="virtio_balloon=0"; or insert virtio_balloon=0 at the beginning of the parameter on the right side of the equal sign in the original GRUB_CMDLINE_LINUX, and add a space in English.
-
Save and exit with Ctrl+X, enter sudo update-grub to update the configuration, and enter sudo reboot to restart the system.
After the above settings, the security of our VPS can be relatively improved.
Note: This article original was published on January 17, 2024, and archived here.