I neglected to mention the most probably vulnerability: someone gets the username and password to the VPS account or they find a way to socially engineer the customer support into giving them access.
Yes, and I would suggest NOT changing the default sshd port from tcp/22. Once you've enabled fail2ban, your primary problem (automated SSH scanning) goes away. Reassigning the sshd port is trying to fix something that isn't broken. Additionally, it's very common for people to pipe nmap scans into their sshd scanners, so they already know what port you've changed it to. Regardless, doesn't matter because you've enabled fail2ban and the problem is solved. If you really want to try hiding the fact that you're running an SSH server, use port-knocking to obfuscate the server. But changing the port a service is listening on will not protect you from anything.
thank you for the nice tutorial, i have digital ocean account, i follow all the step but i don't have Mac, i am using window 8.1, so i am using putty, but there is some different from your window, may i know what are you using. i was fail to login after i change my port. (Server refused public-key signature despite accepting key!). anyway i will rebuild it again. I am new to vps. i don't know how to secure vps. I am using webuzo cpanel on it. because it is easy to use. so please tell the software you are showing us.
I was running this on OS X which had XCode Tools, brew, iTerm, and fish already installed. XCode Tools and brew are necessary. iTerm and fish are what gave me the pretty terminal and shell, but they are not necessary.
I neglected to mention the most probably vulnerability: someone gets the username and password to the VPS account or they find a way to socially engineer the customer support into giving them access.
Nice tutorial. Thanks AJ!
+AJ ONeal you say not to use wordpress on your website, so what alternative would you suggest that is noob friendly?
Very clear, to the point and extremely helpful
To be extra-paranoid you can add multifactor authentication and maybe port knocking
could I point out that when you change your ssh port you need to configure fail2ban to block on that new port.
Yes, and I would suggest NOT changing the default sshd port from tcp/22. Once you've enabled fail2ban, your primary problem (automated SSH scanning) goes away. Reassigning the sshd port is trying to fix something that isn't broken. Additionally, it's very common for people to pipe nmap scans into their sshd scanners, so they already know what port you've changed it to. Regardless, doesn't matter because you've enabled fail2ban and the problem is solved. If you really want to try hiding the fact that you're running an SSH server, use port-knocking to obfuscate the server. But changing the port a service is listening on will not protect you from anything.
This was awesome! Anything to add in 2018?
how do i get rid of a user?
After you set this up in the way you have done can i install wordpress?
PS Im a newbe
Super tuto, Thank you,
I have juste a question concerning fail2bain, is it enough with a default config(jail) ?
nice stuff AJ
thank you for the nice tutorial, i have digital ocean account, i follow all the step but i don't have Mac, i am using window 8.1, so i am using putty, but there is some different from your window, may i know what are you using. i was fail to login after i change my port. (Server refused public-key signature despite accepting key!). anyway i will rebuild it again. I am new to vps. i don't know how to secure vps. I am using webuzo cpanel on it. because it is easy to use. so please tell the software you are showing us.
I was running this on OS X which had XCode Tools, brew, iTerm, and fish already installed. XCode Tools and brew are necessary.
iTerm and fish are what gave me the pretty terminal and shell, but they are not necessary.
sudo ufw enable
sudo: ufw: command not found
Install uwf first :-) sudo apt-get install ufw
Nice one, helped me a lot :)
Super Good !