How to Secure a VPS
Вставка
- Опубліковано 7 сер 2024
- In this video I show you how to secure a VPS using methods like disabling root ssh login, changing default port for SSH, updating and removing unnecessary software, and creating firewall rules.
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my UA-cam channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released.
Get a Vultr VPS today
www.vultr.com/?ref=8791233 - Наука та технологія
![ЛЕБЕДЕВ у ДУДЯ: муху не обманешь 😁 [Пародия]](http://i.ytimg.com/vi/E74h5fvVrqs/mqdefault.jpg)
thumbnails are getting weirder...
And i love it!
hent AI
👀
@@rogueanuerz Hell yeah!
I feel oddly attracted to that thumbnail
the longer I look at that thumbnail, the less faith in humanity I have
We need Doom Guy to remove this evil from Earth.
i think you need some steve winwood in your life. ride the tiger my frens
@@thechadbuddha baste
Yes officer, this thumbnail right here
If there's ever a time for glowies to take action, this would be it.
@@deoxal7947 I just searched what "glowies" are and its the funniest shit XD
@@crashedbruh Just 4chan bleeding over. I think it started with Terry Davis though.
@@deoxal7947 I have never opened the actual 4chan site, like all Ik about it is from the r/4chan sub and youtube compilations like deep dives and green text compilations and shit, its intriguing stuff(with huge amounts of racial and homophobic slurs being thrown around but ig,i HOPE, its not all like that)
I had totally forgot bout Terry Davis, just searched it up and saw sumthin like god's lonely programmer and i instantly remembered TempleOS and that its one of the coolest and one of the more sadder rabbitholes on the internet, that thing needs to be STUDIED than just be an online mystery
@@crashedbruh I've visited it a couple times and the web design is pretty bad. I see people linking to other threads and comments, but I couldn't seem to do it. Not everyone there is racist but it's the majority of /pol/. A big part of it is saying radical things anonymously because previously normal views will get people fired.
Daddy outlaw teaching script kiddies how to protect themselves from each other
how to protected
"how tu haz hasx vps plz, help im new"
"o mentos utlew mad vidxco, im exprt protecc naw, hahahahahahahahahaha"
"o no im pwnd, wat appn"
It made me think of securing my vps which I almost didn't use, so it's a good thing.
@@silentpenguin3001
I had no script for this.
I am a novice at doing anything on my own
that thumbnail, Bill wants you to come inside
I don’t know if I should do that, he might give me a virus
(this can be interpreted 3 different ways)
@@camwha5904 lmfao
I must thank God for not having recommended this channel to my dear ol' dad a while ago
...I just did a few days ago
SSH into it and disable SSH. Perfect security.
I was thinking the other day about getting a server, but had no idea how to go through all the steps of securing it, and expected to be scrounging for information for a while. But Kenny does it again, releasing the exact video I need!
Krusty Krab Doge
The first thing I do when I setup login for a VPS is ensure SSH keys are set and that AllowPasswordLogin from etc/ssh/sshd_config is set to no.
Good m'n.
Hey man, just wanted to let you know that your content is awesome. I am so glad I found it. Thanks!
If you decide to stick with password authentication in SSH, it is always to good specify which users specifically can be ssh'ed into. This way you don't need to worry about disabling system generated users.
I think automatic security updates are also pretty important - love the channel, thanks for all the content
S-Tier thumbnail, one of my favorites you made so far
Very nice video, even if it explains only the very basics of securing a VPS. It's incredible that there is no one telling you these things like on the provider website or somewhere else easily accessible...
Another good topic would be how to securely setup TLS on Nginx with Letsencrypt (with perfect forward secrecy) :D
Useful advices, thanks for that.
Tksss, I was looking for this yesterday
Awesome content as always.
Love the security content!
I think you should have put more emphasis on ssh keys over passwords and also shown how to disable password based authentication.
AWS for example doesn't even give you a password, when you create an ec2 instance but just a private key for that server
Mental outlaw saying some weird linux commands
Me as a windows user: yes.
Will come in handy later.
These videos are great
Great video, i especially liked the iptables part since that is something that i dont fully control yet, but I would've wished that you have mentioned SSH keys and disabling password logins since then an attacker would need to bruteforce (or steal) the key itself and then the password protecting the key
Didn't he at the end?
"Whenever you use a close source OS, somewhere in the world a penguin cries." LoL
Dude in the thumbnail standing behind bowling pins is kinda strange...
those are legs
@@KitOkunari Nonsense! They're pointing in the wrong direction to be legs, silly goose...
Right on time!
I also have a different ssh port, but I'd not bind it to a port that is accessible in user space. It would be better to use a port below 1024, so that in case someone got into the system through the www-data user, it can't rebind the port to listen to it aswell. But that's just my two-cents :)
I basically do to the same things you do. But on my VPS for some reason the amount of bruteforcing attacks on my SSH service were absolutely ridiculous, even while running on a non-standard port. Running fail2ban only worked for a very short time before someone decided that using a botnet was more fun. No idea what makes my VPS so interesting to those guys, but whatever.
On top of all the security I already had I decided to configure port knocking. At least no more automated attacks make it through the firewall so poor sshd can get some rest, geez!
I understand everything here.
I think.....
watch luke smith's video on website hosting , might make things easier to understand
Disable ssh password login.
Very important.
On my raspberry pi which I used to ssh into, in addition to what you showed in the video, I disabled password authentication and only used ssh keys, whitelisted the host keys that could connect via ssh, used ufw (for easier iptables configuration), used fail2ban to permanently ban any IP that failed authentication, and logged every connection attempt. You never know with those bioluminescent 3-letter agencies...
Nice. Did you get any bites? I guess you would have mentioned if you did.
@@der0keks You mean if someone tried to connect? In that case, once I was weirded out because immediately after setting it up a connection attempt from an unrecognized IP was logged. It was only later that I figured out that it had been me using canyouseeme dot org to check if I had forwarded the ports correctly from my router 🤣 nothing else besides that
You should not really change the ssh port in the config. Ports under 1024 are privileged ports and give at least in some scenarios an extra layer of security.
Would be better to forward the connections to port 5555 (or some other) to listening port 22 and prevent direct connections to port 22.
Alpine Linux has a very nice wiki. One thing I learned from there is to make a remote user with basically no rights other than being able to change user, then a second user that has root access. You login on the first user, switch, do your stuff, exit, then upon exiting the first user as well, it removes all your commands history. Other than this, what I personally like doing is disable password authentication in sshd. And the passwords I generate for the admin user are humongous.
Literally just did this today. I like to disable httpd which seems to be installed by default for some VPS. I then setup fail2ban for sshd and openvpn. If mysql is running disable the root account (different than system root). Scan the system with nmap to see what might still be open. Then sit back and watch all the Chinese and Indonesian IPs get logged in your fail2ban list.
The thumbnail is a little bit inappropriate but the video is really interesting
am i stupid or something for strongly disliking VPS and strongly preferring owning the hardware, renting rack space for it, and subscribing directly to a broadband ISP to provide internet access to it
The more control you have the better, although depending on the application you need to run you might not have enough bandwidth to do that where you're located.
I actually was waiting for fail2ban to get mentioned!
if you use lastpass or something you can just generate a 30 cahracter password and you are fine... much more convinient than running around with key files and you can pretty safely use root login aswell
iptables isn’t persistent! On restart, your rules will not applied. If you are new to security and you are watching this video, it’s probably better to use ufw. Instead of adding the drop all others rule to the end of the chain, you can instead change the policy using iptables -P. Hope this helps people.
This content is too smart my brain hurts
IIRC Vultr doesn't enable root login if you add SSH keys to your VPS
I'd be cautious with adding/changing iptables rules on a host using docker. There's been a lot of instances of docker overwriting explicit rules on restart. The solution seems to be adding your custom rules to the DOCKER-USER chain.
blog.donnex.net/docker-and-iptables-filtering/
changing the SSH port isnt really security through obscurity. Everyone knows that I changed the port (at least after trying 22), so the method is known. Id consider it similar too changing the pin to something other than the default on a device, it can easily be gotten but not security through obscurity.
Moving the SSH to another port is pointless. The real thing to do is allow access only through VPN.
@@ighea The real thing to do is port knocking and stuff
Or, if you're like me, don't even use a VPS and use something like Kubernetes or Google Cloud Run..
This just adds one extra step, the attacker would have to scan ports first, which is not a big deal and won't take up much time, it just eliminates most of automated attacks, they just knock to 22.
Hey mental outlaw full gentoo guide? Tried compiling packages via portage but after install I always have issues installing packages because of ebuild problems and always need -autounmask on. I also have extremely slow.portage compile times even when I applied all tweaks like makeopts, distcc and ccache even when install binaries. I don't really know what FLAGS are and what USE flags are. In general portage is so slow so I wanna go back to arch but it uses systemd and is a little bloated in terms of utils.
nice vid. no kernel hardening?
"nice vid"
0:34
something doesn't add up bro
What does kernal hardening effect here ?? (Sry if its very basic question 😅)
You could also use vultr firewall
Which linux distro do you use?
Why not just use UFW?
Also, would you do a video on monitoring a VPS? Such as log analytics setup and which software you can use to gain quicker insights into threats and such?
Thank you for the tutorial.
After adding the final rule, apt update does not connect.
I’m not gonna enter too much detail but here is what I do, and people who had played an kind of old game will notice a pattern, on my company I have an corporate contract with my isp that my connection has a static IP address, so on top of everything on this video i add an filter on iptables to only accept ssh connections from my company office up address.
Also very important for remote MySQL users, set up SSL connections, that’s something that often i notice being forgotten on some setups
cool
I do most of these things however, I keep port 22, and instead just blocking it on my VPS firewall to my IP only for my organization .
this videos are usually funny, security videos in general, I mean why did You choose this exact sshd port ? Asking for a friend.
I have a project idea for when I finish learning Rust and some web stuff. Take the Servo backend (it's now under the Linux foundation), make it more private and remove bloat (like hololense support), give it features like Gopher and Gemini support, Tor windows etc. As well as a GTK4 based interface. Include stuff like right click to play in MPV or related, ad and tracker block. I think this would be a fantastic browser.
cool
Absolutely based
I use ufw for firewall and also use fail2jail to prevent a ssh brute force attack
I saw the thumbnail and I clicked fast... the close tab button, and came back 24 hours later
I'm gonna correct you on the windows spiel in the beginning of the video. Windows Server 2016, afaik, is still the standard as I type this. Windows Server is an entirely different beast than maintaing a Linux or UNIX server. Although, I wouldn't use it for a VPS anyways, that part I can agree with. Windows server should only really be used to run a DC, imo.
Does this also work on centos?
After running iptables I no longer have internet access on my server :(
I do login through public key and disabled pwd
regarding the default drop at the end of INPUT, you should instead use the default rule (sudo iptables -P INPUT DROP) instead of the last rule.
I looked for this comment but didn't find it at first so I said the same thing. Now I feel a little less amazing ...
The way you said iptables a 8:30 made me think for a sec you said somthing diffrent
I also add custom fail2ban rule so that any pubkey authentication attempts to root are picked up after 3 tries. I know it's pretty extreme but some people still try to break in by attempting it multiple times.
Good advice, i also use fail2ban with 1 try fail get permaban, no mercy for invanders :D
can we get a vid on StormOS? its an arch-based distro aiming to be the next manjaro
Rather odd initial graphic. Is it a VPS thing?
Also try out nftables :)
you should rather use ufw than iptables as a firewall, much simpler and easier and youre not able to easily break the whole networking
Hey, I just compared the prices of vultr and strato (80$ vs 9$ for pretty much the same machine)
I was wondering why vultr is so much more expensive, any idea why?
Brand
1. Disable password for ssh, use gpg keys only. Add them to your local ssh config.
2. Instead of changing ports for ssh, use ufw(or whatever you're comfortable with) and limit ssh port.
1. he said at the end.
2. iptables -A TCP -p tcp -m tcp --dport 22 -m limit --limit 2/min -j ACCEPT is what you are looking for. There can be a lot more added to it, but that's the simplified version for you.
Why does everyone have such a hard time writing iptables? They were one of the first things I've learned. They are as simple as writing music. The switch to nftables was way more interesting.
@@callisoncaffrey I did write iptables before ufw. Ufw is more convenient for me, I don't mind a little bloat.
@@adityasadawarte2532 To be honest, I've never seen this UFW everybody is talking about. I just can't imagine there is something more convenient than the tables. Okay, nftables when it comes to replacing ipsets and ip6- and arptables. Still don't know how the ingress hook works there, and what's even worse, I don't even know what I should read, because there doesn't seem to be ... actually now I get why people prefer this UFW thing.
I'm not even going to say anything about the thumbnail design, apart from it would be cool if the text was readable.
Strange that you're not flat out suggesting ssh/gpg keys. I tend to use keys any time I can.
So... can you trust a Linux install when it's running in a cloud?
By trust I mean not having to trust them
Hmm. Hadn't heard of Vultr before.
For 5/month, Vultr gives 1 CPU core, 1 GB RAM, 25 GB SSD, 1 TB bandwidth.
For 5.10/month (with 24 month deal, otherwise 6/month), OVHcloud gives 1 CPU core, 2 GB RAM (double), 40 GB SSD (nearly double), 250 Mbit connection without any limit (unmetered).
I found vpsbenchmarks comparison of the two providers and both Vultr and OVHcloud get an "F" at CPU performance. OVHcloud scores 3.0/20, and Vultr worse at 2.5/20. So both are weak. But good enough for my needs.
And OVHcloud scores 12.1/20 at Web performance, whereas Vultr only scores 4.0/20.
And OVHcloud also scores a bit better in the Performance Stability (less fluctuations in response times) and DIsk IO Performance (twice as fast disk reads).
The only thing Vultr won at was network performance, which turns out to be because they give 745mbit/down and 183mbit/up, while OVHcloud gives 244mbit/down and 195mbit/up. So if you run something where the server's speed at receiving data matters, Vultr is better, but beware of the 1000 gb monthly transfer limit. With some quick math at kylesconverter's "Gigabytes Per Month to Megabits Per Second" calculator, I see that 1000 gigabytes per month is equal to a 24/7 speed of 3.1 mbit/second. If it's just for a tiny website or email server it's fine, but I really don't like having a limit like this. It also means that a DDOS could eat up the entire allowance.
I'll choose OVHcloud. All the other performance benefits settle it. The unmetered bandwidth is icing on the cake.
How about apparmor?
Fail2ban is a really great addition to prevent ssh bruteforcing
I couldn't read that thumbnail. Link please?
6:10 missed the opportunity to change it to the very dank 42069
*how to hide and protect data leak DNS & ISP?*
Even better use a hypervisor like Proxmox and make an unprivileged VM via LXD for minimal (if any) performance loss.
Just set the input policy to drop with iptables -P INPUT DROP. Now everything that isn't specifically allowed gets dropped. No need for -j DROP at the end. Also I prefer iptables -S over -L, but that's just me.
*IppSec has joined the chat*
i am way ahead of you ! i am soo poor i can never have a vps. checkmate hackers !
You can also disable logging in with password and use ssh key file instead
Didn't he say that at the end?
"...It doesn't matter if it's a static HTML page, if it's gonna be some kind of online service, or if it's just going to be an Iranian TLS proxy for Signal users." I love the fact that the last part of that sentence isn't a joke.
Oh look at that, I use Vultr too
Ah yes the uber hardened openbsd fish logo
Use sshkeygen instead of a password; Luke smith did this.
You should honestly disable root login, enable key authentication, and disable password authentication. Also, for those looking into OpenBSD - pf's config syntax is somewhat human understandable.
That thumbnail 😂
Can you upload to lbry and/or peertube?
he does
Dammn, your click bait skill is day by day is increasing
You can use fail2ban to secure against bots.
The simpler way to list netfilter rules
# iptables -S
# iptables -t nat -S
or just want to list certain chain's rules.
# iptables -S INPUT
# iptables -t nat -S POSTROUTING
Thank you.
but of course, there is nothing you can do to secure your data from your cloud provider, unless you are only using the server as a means of moving and storing data that was locally encrypted and will be locally unencrypted
I don't think I've ever actually had root ssh enabled after any installation of any OS 😳
I'll consider BSD when it stops mooching off linux ports. Calling it more secure is quite uninformed, only thing you gain is security by obscurity.
I think hackers/people running scripts have already accounted for people changing the port to 69/ 420 or some other meme number.
1337?
Port scanning is easy, but moving it from 22 is good against some bots.
@@Sharp931 Oh yeah absolutely I think changing the default ports are still a good idea.
Or just keep the root login enabled, and disable password auth...
Keys ftw. Also, UFW ftw, f**k iptables.
UFW is a frontend for iptables. So if you can't write your own, it does it for you. What you said doesn't make any sense, it just showed that you have no idea what you are talking about. Next time if you want to look cool, say you prefer nftables over iptables. Or if you want to be even cooler than that, pretend like you know what PF is.
do you have a discord server?
though shalt do a video on docker