Skip to main content

Security Hardening

This tutorial covers basic security hardening for your GoMami VPS to reduce the risk of intrusion.

SSH Security

1. Use SSH Key Login

First ensure you've configured SSH keys and can log in with them successfully.

2. Disable Password Login

After confirming key login works, disable password login:

# Edit SSH config
nano /etc/ssh/sshd_config

Change these settings:

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password
# Restart SSH service
systemctl restart sshd
caution

Make sure key login works before disabling password login, or you may be locked out. If locked out, use the VNC console to recover.

3. Change SSH Port

Change the default port 22 to reduce brute-force scanning:

# Edit config
nano /etc/ssh/sshd_config
Port 2222
# Allow new port in firewall
ufw allow 2222/tcp

# Restart SSH
systemctl restart sshd
info

After changing the port, specify it when connecting: ssh -p 2222 root@your_server_ip

4. Limit Login Attempts

Install fail2ban to auto-ban brute-force IPs:

# Install
apt install -y fail2ban

# Create custom config
cat > /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = 2222
maxretry = 5
bantime = 3600
findtime = 600
EOF

# Start
systemctl start fail2ban
systemctl enable fail2ban

# Check ban status
fail2ban-client status sshd

Firewall Configuration

UFW (Ubuntu / Debian)

# Install (usually pre-installed)
apt install -y ufw

# Default policies
ufw default deny incoming
ufw default allow outgoing

# Allow necessary ports
ufw allow 2222/tcp    # SSH (if port was changed)
ufw allow 80/tcp      # HTTP
ufw allow 443/tcp     # HTTPS

# Enable firewall
ufw enable

# View rules
ufw status verbose

firewalld (CentOS / AlmaLinux)

# Start firewall
systemctl start firewalld
systemctl enable firewalld

# Allow ports
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

# Reload rules
firewall-cmd --reload

# View rules
firewall-cmd --list-all

System Updates

Regular system updates are one of the most important security measures:

# Ubuntu / Debian
apt update && apt upgrade -y

# CentOS / AlmaLinux
dnf update -y

Enable Automatic Security Updates

# Ubuntu / Debian
apt install -y unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Create a Non-Root User

We recommend creating a regular user for daily operations, using sudo only when needed:

# Create user
adduser deploy

# Add to sudo group
usermod -aG sudo deploy

# Configure SSH keys for new user
mkdir -p /home/deploy/.ssh
cp ~/.ssh/authorized_keys /home/deploy/.ssh/
chown -R deploy:deploy /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
chmod 600 /home/deploy/.ssh/authorized_keys

Security Checklist

ItemStatus
SSH key login configured[ ]
Password login disabled[ ]
SSH port changed[ ]
fail2ban installed and running[ ]
Firewall enabled[ ]
System updated to latest[ ]
Automatic security updates enabled[ ]
Non-root user created[ ]

Next Steps