Security Hardening
Secure your TinyBox VPS against threats and vulnerabilities
SSH Hardening
Disable Password Authentication
# Edit SSH configuration
nano /etc/ssh/sshd_config
# Add or modify these lines:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password
MaxAuthTries 3
# Restart SSH service
systemctl restart ssh⚠️ Important
Only disable password authentication AFTER setting up SSH keys. Always test SSH key login before making this change!
Additional SSH Security
# More SSH hardening options
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
AllowUsers root
Protocol 2
# Restart SSH after changes
systemctl restart sshFirewall Setup (UFW)
# Install and configure UFW
apt install ufw -y
# Set default policies
ufw default deny incoming
ufw default allow outgoing
# Allow your SSH port (replace XXXX with 10000 + VPS ID)
ufw allow XXXX/tcp
# Allow web traffic
ufw allow 80/tcp
ufw allow 443/tcp
# Enable firewall
ufw enable
# Check status
ufw status verbose✓ Common Firewall Rules
# Database (if needed externally)
ufw allow from trusted_ip to any port 3306
# Email server
ufw allow 25,587,993,995/tcp
# FTP (not recommended, use SFTP instead)
ufw allow 21/tcpAutomatic Security Updates
# Install unattended upgrades
apt install unattended-upgrades -y
# Configure automatic updates
dpkg-reconfigure -plow unattended-upgrades
# Edit configuration
nano /etc/apt/apt.conf.d/50unattended-upgrades
# Enable security updates only
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};Fail2ban for Intrusion Prevention
# Install fail2ban
apt install fail2ban -y
# Create local configuration
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Edit configuration
nano /etc/fail2ban/jail.local
# Basic SSH protection configuration:
[sshd]
enabled = true
port = ssh,10000:10999
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
# Start and enable fail2ban
systemctl enable fail2ban
systemctl start fail2ban✓ Fail2ban Commands
# Check status
fail2ban-client status
# Check SSH jail status
fail2ban-client status sshd
# Unban an IP
fail2ban-client set sshd unbanip IP_ADDRESS
User Account Security
# Create a non-root user
adduser newusername
# Add to sudo group
usermod -aG sudo newusername
# Set up SSH keys for new user
mkdir /home/newusername/.ssh
cp ~/.ssh/authorized_keys /home/newusername/.ssh/
chown -R newusername:newusername /home/newusername/.ssh
chmod 700 /home/newusername/.ssh
chmod 600 /home/newusername/.ssh/authorized_keys
# Test login as new user before disabling root
⚠️ Best Practice
Always create a non-root user for daily tasks. Only use root for system administration when necessary.
Security Monitoring
Security Check Script
#!/bin/bash
# Save as /usr/local/bin/security-check.sh
echo "🛡️ TinyBox VPS Security Check"
echo "============================="
# Check for failed login attempts
echo "🔍 Recent failed login attempts:"
grep "Failed password" /var/log/auth.log | tail -5
# Check UFW status
echo -e "\n🔥 Firewall Status:"
ufw status
# Check fail2ban status
echo -e "\n🚫 Fail2ban Status:"
fail2ban-client status 2>/dev/null || echo "Fail2ban not installed"
# Check for updates
echo -e "\n📦 Security Updates Available:"
apt list --upgradable 2>/dev/null | grep -i security | wc -l
# Check listening services
echo -e "\n👂 Listening Services:"
ss -tlpn
# Make executable: chmod +x /usr/local/bin/security-check.sh✓ Security Checklist
- ✓ SSH keys configured
- ✓ Password authentication disabled
- ✓ UFW firewall enabled
- ✓ Fail2ban installed and running
- ✓ Automatic security updates enabled
- ✓ Non-root user created
- ✓ Strong passwords used
- ✓ Unnecessary services disabled
- ✓ Regular security updates applied
- ✓ Log monitoring in place