Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

How can I protect a VPS?

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
GabrieleMax
Posts: 126
Joined: 2016-09-07 20:24
Location: Senigallia (AN) - Italy
Has thanked: 4 times
Been thanked: 1 time
Contact:

How can I protect a VPS?

#1 Post by GabrieleMax »

I'm using Debian just for local area network but now I'd like to buy a VPS here: https://www.hostwinds.com/vps/unmanaged-linux

I need to put a website and mail server there just to learn how to work them, I understood this server will have all ports opened so I'd like to know how I could filter or block traffic, ports, etc. or it's better to say I'd like to know what is the best way to do it!

Now in my LAN I got a firewall on my modem/router, it is very basic so I don't need to do something just enable/disable!

Regards.
GabrieleMax

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: How can I protect a VPS?

#2 Post by reinob »

GabrieleMax wrote:I'm using Debian just for local area network but now I'd like to buy a VPS here: https://www.hostwinds.com/vps/unmanaged-linux

I need to put a website and mail server there just to learn how to work them, I understood this server will have all ports opened so I'd like to know how I could filter or block traffic, ports, etc. or it's better to say I'd like to know what is the best way to do it!

Now in my LAN I got a firewall on my modem/router, it is very basic so I don't need to do something just enable/disable!

Regards.
GabrieleMax
Sounds like a new spambot will soon appear :)

Seriously. Before you even buy your VPS try doing everything you want to learn (web server, mail server) on a computer within your LAN (and thus protected by your modem/router). As you grow confident you can forward the relevant ports from your modem/router.

There's a LOT you need to read, learn and understand before you even start. A standard debian VPS running only openssh may be secure enough that you don't have to bother much (but passwords will be brute-forced if allowed).

A web server (using debian defaults) will also be more or less fine (if you install some kind of "content management system" then you're lost).

I -- honestly and very seriously -- would stay AWAY from installing a mail server. Security and secure defaults have gone a long way but it is still very easy to touch something and have an open relay (and hostwinds seems to host a huge number of them, telling from my logs).

Good luck!

GabrieleMax
Posts: 126
Joined: 2016-09-07 20:24
Location: Senigallia (AN) - Italy
Has thanked: 4 times
Been thanked: 1 time
Contact:

Re: How can I protect a VPS?

#3 Post by GabrieleMax »

reinob wrote:Sounds like a new spambot will soon appear :)
I understood what you mean! :)
reinob wrote:Seriously. Before you even buy your VPS try doing everything you want to learn (web server, mail server) on a computer within your LAN (and thus protected by your modem/router). As you grow confident you can forward the relevant ports from your modem/router.
Ok, it's a rellay good idea!
reinob wrote: There's a LOT you need to read, learn and understand before you even start. A standard debian VPS running only openssh may be secure enough that you don't have to bother much (but passwords will be brute-forced if allowed).
I'd like to start "just" with a OpenVPN+SSL 256 to start to manage in a secure way my VPS and to have a dns masquerade to have a local ip when I could be abroad or when I use a hotspot.
reinob wrote: A web server (using debian defaults) will also be more or less fine (if you install some kind of "content management system" then you're lost).
This should be the step number two, I should move my testing website in this VPS.
reinob wrote: I -- honestly and very seriously -- would stay AWAY from installing a mail server. Security and secure defaults have gone a long way but it is still very easy to touch something and have an open relay (and hostwinds seems to host a huge number of them, telling from my logs).
At home I got two Debian Buster server, I use one of it for Samba, L.A.M.P, and OpenVPN, and another one like a backup server, in the first case I have just the port 1194 opened, maybe I could try everything in one of them like what you said above!
reinob wrote: Good luck!
Thanks! :D

User avatar
llivv
Posts: 5340
Joined: 2007-02-14 18:10
Location: cold storage

Re: How can I protect a VPS?

#4 Post by llivv »

GabrieleMax wrote:I need to put a website
learn web server install and configuration
GabrieleMax wrote:and mail server
learn mail server install and configuration
GabrieleMax wrote:there just to learn how to work them, I understood this server will have all ports opened so I'd like to know how I could filter or block traffic, ports, etc. or it's better to say I'd like to know what is the best way to do it!
learn iptables configuration for mail sever, web site host and VPS
GabrieleMax wrote:Now in my LAN I got a firewall on my modem/router, it is very basic so I don't need to do something just enable/disable!
use your localhost as an example.com
reinob wrote:Sounds like a new spambot will soon appear :)
Seriously. Before you even buy your VPS try doing everything you want to learn (web server, mail server) on a computer within your LAN (and thus protected by your modem/router). As you grow confident you can forward the relevant ports from your modem/router.

There's a LOT you need to read, learn and understand before you even start. A standard debian VPS running only openssh may be secure enough that you don't have to bother much (but passwords will be brute-forced if allowed).

A web server (using debian defaults) will also be more or less fine (if you install some kind of "content management system" then you're lost).
+ agree + agree + agree again
reinob wrote:I -- honestly and very seriously -- would stay AWAY from installing a mail server. Security and secure defaults have gone a long way but it is still very easy to touch something and have an open relay (and hostwinds seems to host a huge number of them, telling from my logs).
I didn't see this last sentence the first time I read reinobs post and it's probably one of the biggest issues to understand well.

I'd study howto lamp server or opencloud,
Behind your firewall (as reinob suggested above).
It should give you an idea of the kinds of maintenance you will need to know thoroughly. Because you'll be using that server knowhow everyday once you open Hello World to the internet or the VPS will be another statistic in reinob logs. :wink:
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: How can I protect a VPS?

#5 Post by reinob »

@GabrieleMax,

Good to see that you seem to know what you're doing (and what you're not doing :)

If I can give some some advice, perhaps you want to experiment and use Wireguard instead of OpenVPN.
It's REALLY easy to set-up, works like a charm, and it's like.. well, the future of VPN :)

I use it (but also OpenVPN as it allows TCP, which I need when connected to some hotspots that only allow web browsing) also in combination with my own DNS server (unbound), which provides also ad-blocking (so no need to tweak Android, just enable VPN and the ads are gone :)

I also do have my own mail server, contrary to established (and my own) advice :)
(but I do tend to think I know damn well what I'm doing.. probably an indication that this is not the case, but..)

Anyway, whatever you do or decide, don't hesitate to ask if/when help is needed.
Cheers.

User avatar
llivv
Posts: 5340
Joined: 2007-02-14 18:10
Location: cold storage

Re: How can I protect a VPS?

#6 Post by llivv »

GabrieleMax wrote: At home I got two Debian Buster server, I use one of it for Samba, L.A.M.P, and OpenVPN, and another one like a backup server, in the first case I have just the port 1194 opened, maybe I could try everything in one of them like what you said above!
wow - I'm embarrassed - I couldn't imagine trying to open something like that myself. I didn't notice your quoted post before I posted mine below it or I certainly would have posted something else, if posting to your thread at all. My apologies.
I used to write and verify html and hosted in a localhost install on apache, cherokee, lighttp servers. Years back I've dabbled a bit with Solaris, BSD name server config and exim mail config. I've thought about renting a shell account too.
But I've seen my share of penetrations and have my hands full living with them.
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: How can I protect a VPS?

#7 Post by pcalvert »

Some VPS companies have a separate firewall that you control using the control panel. You can use it to block all traffic except traffic coming from your IP address. Hopefully you have a static IP address at home or wherever you are doing this work.

Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.

Post Reply