title: "Several Security Configurations for Ubuntu VPS Servers [Linux]"
date: "2013-08-29"
categories:
- "system management"
tags: - "centos"
- "linux"
- "ubuntu"
A month ago, I migrated my blog to a DigitalOcean VPS. Originally, I was considering using CentOS, but since Ubuntu Server offered a $20 credit compared to CentOS's $10 credit, I decided to use Ubuntu 12.04 as the VPS system. After logging in via SSH, I noticed that DigitalOcean had already strengthened the system, so some security configurations could be omitted. However, basic security configurations still need to be done. Below are the steps I took to configure the security of my Ubuntu VPS system, for your reference.
I installed LAMP+VSFTP as the WordPress service program and also enabled PPTP service for VPN bypassing.
- Change the root password. I believe I don't need to explain the reason for this step after logging into the system via SSH.
passwd
- Create a new user to replace the root role. In most cases, there is no need to use the root user. When necessary, use sudo instead.
Assuming the username is lidaren
Add the user with the home directory as /home/lidaren, shell as bash, main user group as lidaren, and additional groups as sudo, adm, and root. Usually, setting the additional group as sudo is sufficient.
useradd -d /home/lidaren -m -s /bin/bash -g lidaren -G sudo,adm,root lidaren
passwd lidaren # Set the user password
- Modify the SSH configuration by editing the /etc/ssh/sshd_config file and disabling root access.
Change the port to any number except 22
port 60022
Disable root user from logging in via SSH
PermitRootLogin no
Disable users from logging in with empty passwords
PermitEmptyPasswords no
Limit the number of login retries after failure
MaxAuthTries 3
Restrict the users allowed to log in
AllowUsers lidaren
After making the changes, reload or restart sshd.
/etc/init.d/sshd reload
or
/etc/init.d/sshd restart
Log out and log in using the newly created user.
- Finally, before leaving, remember to execute the following commands:
rm /root/.bash_history
rm /root/.mysql_history