• All steps to a clean OVH VPS install
• Script to make a VPS more secure(This Gist)
• Scripts to install Potherca projects on OVH VPS
In 2019 I moved various web-apps I have created to a VPS (hosted by OVH).
I strongly believe in automating things and making virtual setups easy to throw away/start again.
This project contains script(s) and files that make a fresh VPS more secure.
The script is meant to be run once directly after first login (as root) in a clean VPS.
- Log in to the VPS
- Clone this repository
- Run the main script
git clone https://gist.github.com/fbfc656f62a91e67820019bc0aa64256.git secure-server
bash ./secure-server/secure-server.sh 'potherca' 'My $3cr3t P@$$w0rd'
To install this project, clone the repository:
git clone https://gist.github.com/fbfc656f62a91e67820019bc0aa64256.git secure-server
To use this project, run the main script.
The script requires one parameter, the name of the user to create.
Example:
bash ./secure-server/secure-server.sh 'potherca' 'My $3cr3t P@$$w0rd'
To make the server more secure, the script does the following:
- Create a regular user (with restricted rights)
- Add the new user to the (newly created) group specifically for ssh-users
- Add the new user to the (already existing) group specifically for sudo users
- Setup SSH Daemon configuration (as advised by various reputable online sources)
- Regenerate Diffie-Hellman Moduli (used by SSH server for key exchange) and remove small (potentially unsafe) moduli
- Setup 2FA (Two Factor Authentication) using Google Authenticator PAM module
- Setup fail2ban to help mitigate DDOS attacks
- Remove the password associated with the "root" user
For fun it also adds a SSH banner.
The following advice was specifically not followed:
-
Re-generate the RSA and ED25519 keys
Not needed as the script is run on a freshly installed VPS. This means the keys have just been generated. Re-generating does not have much benefit. -
Remove
/etc/ssh/ssh_host_*keys
Instead, theHostKeysetting is used to explicitly set which keys to use -
Change the password associated with the "root" user
The password is removed entirely, rather than changed. -
Change the port for SSH
The argument for changing the SSH port is to lessen the amount of hits to the standard port 22. However, from personal experience, I don't see any less port scans on the chnaged port. Also, changing the port means one has to remember which port SSH was changed to.
The following sources (in no particular order) were used to create this project:
- https://docs.ovh.com/gb/en/vps/tips-for-securing-a-vps/
- https://infosec.mozilla.org/guidelines/openssh
- https://linux-audit.com/audit-and-harden-your-ssh-configuration/
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- https://www.ssh-audit.com/hardening_guides.html
My thanks also goes out to @mjrider for sanity checks.
This project has been created by Potherca and is licensed under a GPL-3.0+ License. (GNU General Public License v3.0 or later).
Copyright (C) 2019 Potherca
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.