How to get a really strong server security

VPN
1

I am running a Ubuntu VPS, with the following security optimizations. I was wondering how secure this is in general, as it gets about ~150 attacks per day*. So how large is the risk to get hacked?

  • All ports closed, excluding SSH & minecraft
  • Ports are secured with firewall
  • Packages updates every week
  • fail2ban with jail for ssh & minecraft
  • Password login disabled, login only with key

I have not changed defaul ssh port and still using „root“ as defaul user.

  • According to fail2ban I am getting ~150 bans per day for ssh port.

Anything else to get more security?

2

First: disable root login. Use normal user with sudo configured if root is needed.

If failed logins to ssh are worrying for you then you can allow ssh connection only from one IP address (your private IP address). Other option is to use something like tailscale ssh and close “normal” ssh port. Closing ssh port is best done in external firewall if your provider has one so if you ip changes or tailscale stops working you can unlock yourself.

To be honest I have servers with wide open ssh port and fail2ban, login only with ed25519 key for normal user / users.
This blog post is really helpful.

3

Login only with key is good… but restrict that to a user account only. No root logins.
You could hide SSH behind a VPN for additional protection. There was a nasty bug in OpenSSH mid-2024.
Minecraft is an attack vector you’ll need to ensure you have that secured or isolated. NEVER run your game server as root. If you use mods, you have an even greater attack surface for minecraft.

As for security. There’s no general purpose blanket… It boils down to securing each application you ‘expose’, and trusting the application doesn’t have a flaw… well, flaws happen, so plan for ‘what if’.

The best defense is being aware. Check this out as an example : https://www.cve.org/CVERecord/SearchResults?query=minecraft

4

Power it off for optimal security. Exit cloud.

5

Use taulscale for SSH and close 22

6

Login to a sudo user instead of root and you are a bit more secure.

7

If you look at those login attempts, all of them are likely trying password authentication only and so they don’t factor in to any kind of hacking issue.

If you’re getting worried by the log spam, you may want to try changing the ssh port. This gives you no additional security but you won’t get spammed with failed login attempts as frequently as with port 22.

8

Security through obscurity is never the answer but… you’ll see a lot less automated bot logins if you don’t have ssh on port 22

Highly reccomend openscap for hardening - This is what enterprise businesses use for Linux hardening.

9

That’s not 150 attacks per day, it’s a very common thing that some wannabe hackers are scanning the networks to find some easily breakable services with security scanning tools.

What you do is pretty much enough, but do not use root, create a dedicated user and turn off root login. And use ufw limit 22 instead of fail2ban.

10

Shutoff ssh, use tailscale to access service remotely.

You could even disable Minecraft and use the tailscale ACLs to only allow specific people access to the Minecraft server.

11

150 bans is a lot. You should setup your firewall to block packets by Geo location. If you block certain countries you can probably reduce that by 80%.

12

I had hacking attempts on the webserver and after I IP blocked Russia and Belarus they went down to ¨70%. You can block entire countries with ipset and Download Country IP Ranges (e.g., China CN, Russia RU). http://www.ipdeny.com/ipblocks/data/countries/ru.zone

13

You can use tailscale to prevent ssh from remote as well. And as some response limit to ip and not use root is good. And behind a firewall or VPN as well is good practice. You can use unwanted or iptable

14

Setup Crowdsec add the appropriate lists and it’ll block a lot of the automated scan addresses.

Not really security, but changing the SSH port can also cut down on the number of attempts (just don’t use port 2222, it’s just as bad).

15

Use google authenticator for MFA. None of the automatic bots know how to handle this.

16

Changing the default ssh port will reduce the exposure to bots that scan that port (22) over various networks, in the attempt to find servers with unsecured ssh access. It’s the least important thing that you mentioned, but changing it doesn’t hurt.

What I would do first is just have a user with sudo (needs to be part of the wheel group) and disable root login via ssh entirely, whether it’s with ssh keys or, worse, password auth.

You should be able to login with a regular user and only with keys, password auth disabled for anyone please.

These small things are a good start.

17

What kind of attacker are you trying to defend against?

There is a really big spectrum between skids and unit 9900 you know, and knowing what you can expect is paramount if you want to talk about really secure systems.

18

This is what you do.
Apt update
Install sudo
adduser username
usermod -aG sudo username
Then nano into /etc/ssh/sshd_config
Uncomment and change
PasswordAuthentication Yes
PermitRootLogin no
PermitEmptyPasswords No

Do not close this window. Open another window and do ssh-keygen -t rsa -b 4096
You can add a password or not. Then do ssh-copy-id -i ~/.ssh/id_rsa username@ipaddress

In the first window sudo systemctl reload sshd.service or sudo systemctl restart ssh or reboot

Once that’s done. From that terminal window try logging into your computer with your using ssh -i ~/.ssh/id_rsa username@password if successful close first window. After that install tailscale and use acl rules to invite friends to your server.

19

it will show up if bots are trying bruteforce attempts. use ssh with keys.

20

Not as tight as solarian.