How to Set Up a Secure VPS Server for Pentesting and General Use

VPS (Virtual Private Server) is a powerful tool that finds application in a wide range of tasks: from web hosting, development, and organization of personal cloud storage to penetration testing (pentesting), security analysis, or a VPN server. However, to ensure security and reliability, a VPS requires proper configuration and hardening. In this article, we will examine in detail all the key steps to create a secure VPS server that is suitable for both general tasks and specific needs such as pentesting.

Choosing a Provider and Operating System

The first important step is to choose a reliable VPS provider. When selecting a provider, pay attention to the following factors:

  • Company reputation and customer reviews
  • Server location and network
  • Available operating system options
  • Performance and scalability of tariff plans
  • Level of technical support and documentation

For the operating system, it is recommended to choose one of the popular Linux distributions, such as Ubuntu, Debian, or CentOS. They have broad community support, frequent security updates, and are well-suited for server tasks.

If your goal is pentesting and security analysis, it is worth considering specialized distributions created specifically for these tasks, such as Kali Linux, ParrotOS, or BlackArch. These distributions provide a rich set of pre-installed tools for penetration testing, vulnerability analysis, reverse engineering, and other cybersecurity tasks.

However, even if you choose a universal distribution like Ubuntu or Debian, you can always additionally install and configure the necessary tools for pentesting. The main thing is to ensure reliable protection of the VPS itself so that it does not become a victim of attacks or a source of threats to other systems.

Setting up a VPS includes selecting a suitable provider, installing the operating system, configuring services, and securing the server. These steps are equally important for both general use and pentesting tasks.

Initial Server Setup

After creating the VPS, connect to it via SSH using the credentials provided by the provider. Then perform the following steps for initial setup:

    1. Update all installed packages to the latest versions:
      sudo apt update && sudo apt upgrade -y
    2. Create a new user with sudo rights and set up SSH key authentication:
      adduser johndoe
      usermod -aG sudo johndoe
      mkdir /home/johndoe/.ssh
      chmod 700 /home/johndoe/.ssh
      nano /home/johndoe/.ssh/authorized_keys # Paste your public SSH key
      chmod 600 /home/johndoe/.ssh/authorized_keys  
      chown -R johndoe:johndoe /home/johndoe/.ssh
    3. Disable login for the root user and password login by editing the file /etc/ssh/sshd_config:
      PermitRootLogin no
      PasswordAuthentication no
    4. Restart the SSH service:
      sudo systemctl restart sshd

Now you have the foundation for secure server access.

Strengthening SSH Security

SSH is the primary method of remote access to a VPS, so it’s important to strengthen its security. Here are some recommendations:

  • Install fail2ban to protect against brute-force attacks:
    sudo apt install fail2ban -y

    The Fail2Ban logs are usually stored in the file /var/log/fail2ban.log. If you want to change the number of login attempts, blocking time, and other parameters, create a copy of the file jail.conf named jail.local in the /etc/fail2ban directory and work in this file. Files with .local have priority over .conf, so Fail2Ban will use your settings.

  • Use only SSH key authentication (already set up in the previous step).
  • Change the default SSH port (for example, to 2222) in the file /etc/ssh/sshd_config:
    Port 2222
  • Restrict SSH access to specific users by adding to /etc/ssh/sshd_config:
    AllowUsers johndoe
  • Enable 2FA (two-factor authentication) using Google Authenticator or other solutions.

After making changes, restart SSH:

sudo systemctl restart sshd

Setting Up Two-Factor Authentication (2FA)

Two-factor authentication significantly enhances security by requiring an additional one-time code when logging in via SSH. To set up 2FA using Google Authenticator, perform the following steps:

    1. Install the Google Authenticator PAM module on the server:
      sudo apt install libpam-google-authenticator -y
    2. Run google-authenticator as the user and follow the instructions for setup:
      su - johndoe
      google-authenticator

      Save the shown backup codes in a secure place.

    3. Edit the file /etc/pam.d/sshd and add to the end:
      auth required pam_google_authenticator.so
    4. Edit the file /etc/ssh/sshd_config and add/modify:
      ChallengeResponseAuthentication yes
      AuthenticationMethods publickey,keyboard-interactive
    5. Restart the SSH service:
      sudo systemctl restart sshd

Now when logging in via SSH, a one-time code from the Google Authenticator app will be requested in addition to the SSH key.

Configuring the Firewall

A firewall is an important component of server protection that allows restricting network access. It is recommended to use UFW (Uncomplicated Firewall) to configure firewall rules.

Install UFW

sudo apt install ufw -y

Set up rules to allow necessary services

For example:

sudo ufw allow 2222/tcp # SSH on port 2222
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS

Enable UFW

sudo ufw enable

IMPORTANT: do not enable UFW before allowing SSH connection. The default SSH port is 22; if you changed the port for SSH, specify your port.

Server Monitoring

Regular server monitoring allows timely detection of potential problems and security threats. Some recommendations:

  • Install monitoring tools such as Prometheus and Grafana for collecting and visualizing server metrics.
  • Set up centralized log collection and analysis using solutions like the ELK stack (Elasticsearch, Logstash, Kibana).
  • Use intrusion detection tools such as OSSEC or Suricata to identify suspicious activity.
  • Regularly review logs for anomalies and signs of compromise.

Transferring Files to VPS

For secure file and resource transfer between the local machine and VPS, use the SCP utility. For example, to transfer the directory project to the user johndoe on the server:

scp -P 2222 -i ~/.ssh/vps_key -r ~/project johndoe@vps_ip:~/

This allows transferring data over an encrypted SSH connection without revealing it to third parties.

Conclusion

By following the detailed recommendations from this article, you will be able to create a secure VPS server suitable for both general tasks and pentesting. The key points:

  • Carefully choose the provider and operating system
  • Perform initial server setup and create a new sudo user
  • Strengthen SSH security using fail2ban, a non-standard port, and user restrictions
  • Set up two-factor authentication for SSH login
  • Configure the firewall to restrict network access
  • Install monitoring tools and regularly check logs
  • Use SCP for secure file transfer

Don’t forget to install security updates in a timely manner and follow the news about vulnerabilities. With proper configuration, regular monitoring, and vigilance, your VPS will become a reliable and secure platform for your projects and experiments.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.