Do you plan to host a WordPress blog on your VPS? Or, you’re about to import an existing one that was being hosted in shared server such as HostGator or BlueHost into DigitalOcean droplet? You landed on a right page.
- Create a new linux user
- Grant sudo privilege to new user
- Secure ssh connection by changing default port
- Configure ssh connection with root login restricted
- Configure ssh connection so that only specified user can log in
- Install and activate fail2ban to block brute force attack
I’ll relate the exact steps I followed to prepare my droplet. So, I’m sure it’ll be helpful to you too!
Prepare VPS to host WordPress
I assume you’ve already created a new droplet in DigitalOcean with Ubuntu 14.04 as operating system. Now, we’ll create a new user, configure it to grant sudo privilege. We’ll also walk through to secure ssh connection. And, finally we’ll see how Fail2Ban can be used to automate the protection against Brut-force attack.
So, let’s begin!
Log in to your VPS
Start the PuTTY application and log in to your VPS. If you don’t know how to, please visit following link and scroll down in Login section:
Create a new Linux user
For every new droplet there’s a default user root and the password is emailed to you. The Root user in Linux is super-user and thus it’s a powerful user capable to do anything – equally capable to destroy everything, regardless if it was unknowingly.
Thus, it is wiser to create another user to work with. In this session we’ll learn to create new user in Ubuntu 14.04 and grant sudo privilege.
#1. Login to your DigitalOcean droplet with credentials that was mailed to you. Because this is the first time, you’ll most likely see a warning message – “Are you sure you want to continue connecting (yes/no)?“. You should confirm this with yes.
The next important thing in this process is to change the root password. Change it to something difficult to guess but easier for you to remember. Change the password and proceed when Linux asks.
#2. Once you see the command prompt in the PuTTY console, issue the command below:
A few questions will be asked for this user. Supply the data or simply press Enter to proceed without entering anything.
Now, you have a new user workingUser with regular account privileges. Because we need to do some administrative tasks, let’s configure ‘sudo’ privilege to this user. It saves you from logging out and in frequently.
#3. In your console, enter following command
This will open up the nano text editor where you’ll find:
# User privilege specification root ALL=(ALL:ALL) ALL
In nano editor, Ctrl+W (where?) will help you to search. Just below the line add sudo privilege for workingUser so that it looks like following:
# User privilege specification root ALL=(ALL:ALL) ALL workingUser=(ALL:ALL)ALL
Notice that Linux is case sensitive. The uppercase and lowercase are different.
After you add the line, save and exit nano editor. Ctrl+X then Y and ENTER will exit you from editor confirming to save the changes.
Now you have a new user capable of running regular as well as administrative commands. To issue administrative commands you’ll just add sudo at the front.
Recommended Security Configuration
Change SSH port – By default your droplet listens for ssh connection in port 22. It is a well known port and thus changing it to something different makes your server more secure. You can choose any number between 1025 and 65536. The numbers below 1025 are reserved and 65636 is the upper limit for the ports.
Restrict Root Login – Because we can now access our server through normal user account and escalate privileges when necessary, we can step further ahead to secure by restricting root login.
Permit only a certain user – This closes all the doors and windows to access your server except for the specified user – A secure ssh environment.
To perform these tasks let’s follow the course below:
#1. Open ssh configuration file using following command
#2. Find the line with Port 22 and change it to something different such as:
#3. Find the line PermitRootLogin yes and change it to:
#4. To allow only our new user restricting all other user accounts, add following line:
#5. Now Save and close the file (Ctrl+X then Y and ENTER)
#6. Restart SSH to apply the changes you made recently
service ssh restart
That’s all about securing your SSH. Now you can log in using your new user with following command:
ssh -p 5304 [email protected]
Remember to specify the new port number, username and password in your PuTTY to login in next session.
Install and activate Fail2Ban to block brute force attack:
You can go one step further to install and activate fail2ban. It provides a way to automatically protect virtual servers from malicious behavior. The program works by scanning through log files and reacting to offending actions such as repeated failed login attempts. Follow the procedure below:
#1. Install Fail2Ban:
sudo apt-get install fail2ban
#2. Create a working copy of Fail2Ban configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
#3. Set up ban time, max retry and destination email in local configuration file
sudo nano /etc/fail2ban/jail.local
Max retry specifies for how many times it should allow the failed login attempt. Ban time tells for how long it should ban the next login attempt after the max retry is reached. Destemail is specified so that it can send you email when somebody is banned according to the rules you specified here.
#4. Most of the default settings are pretty fine for us. So, you can now restart fail2Ban and apply the settings:
sudo service fail2ban restart
If you are inerested to learn more about Fail2Safe and detailed configuration information, you are encouraged to read how to protect ssh with fail2ban
That’s awesome! A powerful and secure server to host your blog!
Now after these server settings, we can move forward to install and configure the software required to run a WordPress blog – that’s the topic for my next post. Stay tuned!