System: Debian11 bullseye
Problem#
Recently, I built a dating website using Typcecho. The website was not open to the public yet, but I suddenly received internal comments from IP leaks. It's time to take security measures for the website.
Approach#
To remotely access our VPS host via SSH, we need the IP address, port number, username, and password. Hackers also need these four elements to invade our VPS. Therefore, we will protect our website from these four aspects.
Steps#
1. IP Address#
Hackers may use malicious scripts to scan IP ranges, which can be considered public information. However, the VPS service provider I use, DigitalOcean, has a Reserved IP feature, which allows us to bind a public IP to our VPS. In the future, we can use this IP for external access, which can to some extent ensure the security of our website.
A DigitalOcean Reserved IP address is a publicly-accessible static IP address that you can assign to a Droplet and then reassign to another Droplet later, as needed. You can implement a failover mechanism with reserved IPs to build a high availability infrastructure.
To enable the Reserved IP option in VPS, go to Networking-Public Network-RESERVED IP:
Select the VPS you want to bind from the dropdown menu:
Click Assign Reserved IP:
2. Port Number#
The default SSH port is 22, which is a known item for hackers. Therefore, we need to change the SSH port to an unknown item.
A communication port number is represented by a 16-bit unsigned integer, ranging from 0 to 65535.
In the TCP protocol, port 0 is reserved and cannot be used.
1–1023 are system reserved and can only be used by the root user.
1024–4999 are freely allocated by client programs.
5000–65535 are freely allocated by server programs. In the UDP protocol, the source port number can be chosen to be filled or not. If set to 0, it means there is no source port number.¹
Considering the importance of the root user, we will explain it in detail under [username]. We will log in with a non-root user in the future, so the port number can be any number between 1024 and 65535.
Log in to the VPS, modify /etc/ssh/sshd_config, and change Port 22 to the port number you have chosen.
In this article, we will use Debian11 and the nano text editor as an example:
nano /etc/ssh/sshd_config
Find Port 22 and change it to another port number. Save and restart the SSH service. From now on, you will need to use the set port number to log in to SSH.
systemctl restart ssh
3. Username#
The root user has the highest system privileges. Once a hacker gains root access, it is equivalent to being at their mercy. When a "zombie" is used for mining, DDoS attacks, and other illegal activities, it becomes a tool for hackers. We can disable remote login for the root user and create a regular user for daily server maintenance. We can install sudo to temporarily gain root privileges for higher-level operations.
In Linux and Unix systems, sudo is a command used to elevate the current user's privileges. In most cases, ordinary users have limited permissions and cannot perform certain operations that require administrator privileges. The sudo command can temporarily elevate the current user's privileges to perform operations that require administrator privileges.
Create a regular user:
adduser _your_vps_name
Install sudo:
apt update && apt install sudo
Note: When using the sudo command, you need to enter the root password each time. We can simplify the operation by modifying the configuration file, but you need to know what you are doing.
Modify sudo user privileges:
visudo
Find User Privilege Specification and add the following line under the root user:
vpsadmin ALL=(ALL) NOPASSWD: ALL
4. Password#
In theory, if given enough time, a password can be completely cracked. Hackers can also use tools like password tables to crack your account password. Therefore, we will abandon password login and choose the key-based authentication method. We will use SSH to generate the corresponding public and private keys, and upload the public key to the VPS to enable remote login using the private key. Just make sure not to leak the private key. It is recommended to save the private key locally and not on the server.
To generate an SSH key pair and upload the public key to the server, follow these steps:
Open a terminal or command line interface and enter the following command to generate the key pair:
ssh-keygen -t rsa -b 4096 -C "<[email protected]>"
In the above command, -t rsa indicates that an RSA type key pair will be generated, -b 4096 indicates a key length of 4096 bits, and the content after the -C parameter is the comment, which can be modified as needed.
After executing the above command, the system will prompt you to enter the path and file name to save the keys. The default path is ~/.ssh/ and the file names are id_rsa and id_rsa.pub. You can save the keys with the default settings or modify them as needed. When saving the public key file, the file name must be id_rsa.pub, otherwise the server will not recognize it.
After generating the key pair, use the following command to upload the public key to the server:
ssh-copy-id username@hostname
In the above command, username is your username on the server, and hostname is the hostname or IP address of the server. When executing this command, the system will prompt you to enter the server password. After entering the password, the public key will be automatically added to the ~/.ssh/authorized_keys file on the server.
If you are unable to use the ssh-copy-id command, you can manually copy the public key to the authorized_keys file on the server. Use the following command in the local terminal to open the public key file:
cat ~/.ssh/id_rsa.pub
Copy the entire contents of the public key file, open the ~/.ssh/authorized_keys file on the server, and paste the public key into the file. Save the file, and you can use the private key to connect to the server.
Summary#
With the above four steps, we can achieve basic website protection.
Article updated on 2024/3/27