Introduction
I think everyone on Tech Twitter by now knows who Pieter Levels is. If you do not, you need to spend more time getting into tech twitter first then come back here and grab all the jokes. Google him or something.
So this guy, Pieter Levels is championing an idea. The idea is dead simple. Deploy stuff on a cheap VPS and scale from there as you need to. Don’t over engineer anything you build at least from the get go. Which seems like pretty obvious advice until you get into it and see that on average it’s typical to use an EKS to release version 0.1 of a todo app.
So a lot of people now have gone into the “raw dogging” tech stack which is simply a cheap VPS with claude code installed. Which works well for magic until you start spilling tea.
This is the point of this guide. Think of it as VPS security for dummies. Any other security expert advice can build on top of this framework with minor tweaks here and there. Whenever you buy a new VPS just come here to tick all the boxes one by one to be sure you can sleep well at night knowing that no one would succeed with just brute forcing their way into your server.
This guide does not tell you how to not share passwords through get requests and other related mishaps that can come from the code itself.
Step 1 - Set a very long and stupid password.
Make it at least 24 characters. Some providers allow you set it when you buy the VPS while others set it for you and email you the credentials. However it happened here is a very simple way to reset it and make it very long and stupid like I’m recommending.
First you need to ssh into the server using:
ssh root@<server_ip_address> some providers might use administrator instead of root. It’s usually something like that though so whatever it is, find it and replace “root” with what you have.
when you’re in you need to run this:
passwdThen you type the new password and confirm it. Alternatively you could disable password login entirely and use ssh keys* but if you have multiple servers then you have to think of a way to back up and manage all of your keys. If that’s too much hassle just use password based auth jeje. ;)
- - With ssh keys a file is saved on your machine that lets your vps basically perform that login handshake with only you. Anybody without that file cannot login to your vps at all.
Step 2 - Get the latest updates
There would always be security patches and updates to make to software just like some other people will always find new ways to break into stuff. My guess here is that you have a linux based server, if you’re still reading this then that’s probably true. The package manager is apt. You can get the latest updates by running the following.
apt update && apt upgrade -yThe update part pulls the latest versions of all packages and services that your VPS uses and the upgrade part goes ahead to install those things. The -y flag just says yes to any question that might come up during the update and upgrade.
Step 3 - Create a new user
Most attacks would try to login to your vps as root, admin or something similar so lets fix that. The goal here is to disable root login so those attacks are completely useless. You need to use a very nonsense name and not something that’s related to you in anyway. Some attackers might be people that know you if they’ve done a little social engineering so don’t use anything related to you. For instance, I use Ojuelegba as my username. Lol, I don’t, or do I, who knows?
To add a user you use the adduser command like so
adduser <user_name>It will ask you for password after this step and again the password should be long and stupid. Ideally above 24 characters. Remember the most secure thing online is stuff that is not online. Keep a paper under the bed of your cat with the passwords so that whoever hacks you must be a hacker and a burglar at the same time. Whoever can do those very well is free to steal from me. I won’t even be mad.
So next we need to add this new user to the sudo group so the user can get root permissions and still do root stuff even though you wouldn’t be signing in as root (remember this is the goal). To do this run the following:
usermod -aG sudo <user_name>Now you can test by switching the user with su <user_name> or even logging out and back in with the new credentials. To get into root mode you can do
sudo -sYou’re going to need the password of the <user_name> you just created of course if that’s what you signed in as. You can use the same method to provision permissions for your dev and whoever else needs access to your VPS.
Step 4 - Disable Root Login
This is pretty straightforward we only need to edit a field in a config file. That’s /etc/ssh/sshd_config you can use vi to open it like so:
vi /etc/ssh/sshd_configAt the bottom of the file you should see PermitRootLogin yes set this to no. use i to enable insert and when you’re done esc then :x with the colons included. This saves your work in the file and closes it.
You’re almost done we have two more steps to go.
Edit: Future me here. I got questions regarding this step. Well, it turns out if you logout and try to login back with root it’ll still work. That’s because we didn’t restart the ssh service so you can quickly do that using the following:
sudo systemctl restart sshStep 5 - Install and activate Fail2Ban
This helps you to lock out people trying to gain unauthorised access for some time (could be 2 years or 2 seconds - up to you). It puts their ip in some kind of jail and further attempts are just ignored.
Install it with
sudo apt install fail2ban -yAfter that’s done you’d need config file to get it running but no worries the installation comes with a sample config file that we can tweak and use. Just copy the sample to the main file like so
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localThen open the file up with
vi /etc/fail2ban/jail.localIt’s a pretty long file and it has a lot of comments that can let you know exactly what setting you’re looking at but we’re not doing too much here. What you’re looking for is two things - bantime and findtime.
The bantime is pretty self explanatory, this sets how long that ip is banned. The findtime on the other hand is the retry window. So basically if somebody tries your password a certain number of times consecutively within a certain time window then it bans the ip. This time window is the findtime. The certain number of times is the maxretry value, you can also set that if you want.
So set these values to what seems like a reasonable punishment to you. Note that the findtime needs to be a large enough window like 10h or so. If it’s really small like 3s then I can just wait 3s after every try and I would never be banned. Also be careful not to test this out carelessly cuz you might be banned from your own server for say like 2 years.
So now that we’re done with the config lets start the fail2ban engine with
sudo systemctl start fail2bansudo systemctl enable fail2banFail2ban is now active on your VPS.
Step 6 - Setup a firewall
Your VPS is exposed to the internet (well and to itself too) through ports. Now you don’t want to have too many of these holes open because somebody/bot will potentially exploit one of them soon enough. Now it might be a bit complicated to track this but the easy way to do this is to setup a firewall. There are a number of them but I’m basing this on UFW.
You probably have it installed already if you’re on an ubuntu distro but it doesn’t hurt to run the install with
sudo apt install ufwIf you have it installed it’ll say so, if not it’ll install it.
Now you want the bare minimum number of ports exposed to the internet. My current list of bare minimum ports has just
-
ssh - port 22
-
http/https - port 80/ port 443 resp.
So first to setup our rules we want to deny all incoming connections and allow all outgoing connection with
sudo ufw default deny incomingsudo ufw default allow outgoingThen allow the ssh and http/https ports with
sudo ufw allow 22sudo ufw allow 80sudo ufw allow 443For ssh, http and https respectively.
Finally we need to enable our firewall that we’ve setup. But first we check the rules we’ve put in place just to confirm
sudo ufw statusIt should show the ports 22, 80 and 443 as allowed. Then we’re good to go to enable the firewall with
sudo ufw enableCongratulations
You have just completed the bare minimum of server security. If you made it this far thank you very much for reading.