VPS (Virtual Private Server) is a powerful tool that finds application in a wide range of tasks: from web hosting, development, and organization of personal cloud storage to penetration testing (pentesting), security analysis, or a VPN server. However, to ensure security and reliability, a VPS requires proper configuration and hardening. In this article, we will examine in detail all the key steps to create a secure VPS server that is suitable for both general tasks and specific needs such as pentesting.
Choosing a Provider and Operating System
The first important step is to choose a reliable VPS provider. When selecting a provider, pay attention to the following factors:
- Company reputation and customer reviews
- Server location and network
- Available operating system options
- Performance and scalability of tariff plans
- Level of technical support and documentation
For the operating system, it is recommended to choose one of the popular Linux distributions, such as Ubuntu, Debian, or CentOS. They have broad community support, frequent security updates, and are well-suited for server tasks.
If your goal is pentesting and security analysis, it is worth considering specialized distributions created specifically for these tasks, such as Kali Linux, ParrotOS, or BlackArch. These distributions provide a rich set of pre-installed tools for penetration testing, vulnerability analysis, reverse engineering, and other cybersecurity tasks.
However, even if you choose a universal distribution like Ubuntu or Debian, you can always additionally install and configure the necessary tools for pentesting. The main thing is to ensure reliable protection of the VPS itself so that it does not become a victim of attacks or a source of threats to other systems.
Setting up a VPS includes selecting a suitable provider, installing the operating system, configuring services, and securing the server. These steps are equally important for both general use and pentesting tasks.
Initial Server Setup
After creating the VPS, connect to it via SSH using the credentials provided by the provider. Then perform the following steps for initial setup:
- Update all installed packages to the latest versions:
sudo apt update && sudo apt upgrade -y
- Create a new user with sudo rights and set up SSH key authentication:
adduser johndoe usermod -aG sudo johndoe mkdir /home/johndoe/.ssh chmod 700 /home/johndoe/.ssh nano /home/johndoe/.ssh/authorized_keys # Paste your public SSH key chmod 600 /home/johndoe/.ssh/authorized_keys chown -R johndoe:johndoe /home/johndoe/.ssh
- Disable login for the root user and password login by editing the file
/etc/ssh/sshd_config:PermitRootLogin no PasswordAuthentication no
- Restart the SSH service:
sudo systemctl restart sshd
- Update all installed packages to the latest versions:
Now you have the foundation for secure server access.
Strengthening SSH Security
SSH is the primary method of remote access to a VPS, so it’s important to strengthen its security. Here are some recommendations:
- Install fail2ban to protect against brute-force attacks:
sudo apt install fail2ban -y
The Fail2Ban logs are usually stored in the file
/var/log/fail2ban.log. If you want to change the number of login attempts, blocking time, and other parameters, create a copy of the file jail.conf named jail.local in the/etc/fail2bandirectory and work in this file. Files with .local have priority over .conf, so Fail2Ban will use your settings. - Use only SSH key authentication (already set up in the previous step).
- Change the default SSH port (for example, to 2222) in the file
/etc/ssh/sshd_config:Port 2222
- Restrict SSH access to specific users by adding to
/etc/ssh/sshd_config:AllowUsers johndoe
- Enable 2FA (two-factor authentication) using Google Authenticator or other solutions.
After making changes, restart SSH:
sudo systemctl restart sshd
Setting Up Two-Factor Authentication (2FA)
Two-factor authentication significantly enhances security by requiring an additional one-time code when logging in via SSH. To set up 2FA using Google Authenticator, perform the following steps:
- Install the Google Authenticator PAM module on the server:
sudo apt install libpam-google-authenticator -y
- Run google-authenticator as the user and follow the instructions for setup:
su - johndoe google-authenticator
Save the shown backup codes in a secure place.
- Edit the file
/etc/pam.d/sshdand add to the end:auth required pam_google_authenticator.so
- Edit the file
/etc/ssh/sshd_configand add/modify:ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive
- Restart the SSH service:
sudo systemctl restart sshd
- Install the Google Authenticator PAM module on the server:
Now when logging in via SSH, a one-time code from the Google Authenticator app will be requested in addition to the SSH key.
Configuring the Firewall
A firewall is an important component of server protection that allows restricting network access. It is recommended to use UFW (Uncomplicated Firewall) to configure firewall rules.
Install UFW
sudo apt install ufw -y
Set up rules to allow necessary services
For example:
sudo ufw allow 2222/tcp # SSH on port 2222 sudo ufw allow 80/tcp # HTTP sudo ufw allow 443/tcp # HTTPS
Enable UFW
sudo ufw enable
IMPORTANT: do not enable UFW before allowing SSH connection. The default SSH port is 22; if you changed the port for SSH, specify your port.
Server Monitoring
Regular server monitoring allows timely detection of potential problems and security threats. Some recommendations:
- Install monitoring tools such as Prometheus and Grafana for collecting and visualizing server metrics.
- Set up centralized log collection and analysis using solutions like the ELK stack (Elasticsearch, Logstash, Kibana).
- Use intrusion detection tools such as OSSEC or Suricata to identify suspicious activity.
- Regularly review logs for anomalies and signs of compromise.
Transferring Files to VPS
For secure file and resource transfer between the local machine and VPS, use the SCP utility. For example, to transfer the directory project to the user johndoe on the server:
scp -P 2222 -i ~/.ssh/vps_key -r ~/project johndoe@vps_ip:~/
This allows transferring data over an encrypted SSH connection without revealing it to third parties.
Conclusion
By following the detailed recommendations from this article, you will be able to create a secure VPS server suitable for both general tasks and pentesting. The key points:
- Carefully choose the provider and operating system
- Perform initial server setup and create a new sudo user
- Strengthen SSH security using fail2ban, a non-standard port, and user restrictions
- Set up two-factor authentication for SSH login
- Configure the firewall to restrict network access
- Install monitoring tools and regularly check logs
- Use SCP for secure file transfer
Don’t forget to install security updates in a timely manner and follow the news about vulnerabilities. With proper configuration, regular monitoring, and vigilance, your VPS will become a reliable and secure platform for your projects and experiments.
