C2 Whisper - VPS Security

C2 Whisper - VPS Security

Tags
Career
Research
Red Team
Cybersecurity
Notes
Published
August 28, 2025
Author
0xtb
author
status
date
category
type
Hey everyone! Today we'll be covering how I secure my VPS instances once they're up and running. I do this to drastically reduce the chances that unauthorized actors can access my infrastructure. Whether you're running web services, development environments, or security testing infrastructure, these practices form a solid foundation for any Linux server.
This guide provides a practical checklist for beginners looking to harden their machines. These are the minimum security measures I implement for any of my self-hosted projects, and as I continue learning, I'll be updating this guide with additional techniques.

Step 1: Strong Complex Root Password

First things first - once we access the machine, we need to change the root password to something complex. For peace of mind, my passwords are minimum 16 characters long, sometimes up to 26 characters depending on the use case. Since I use a password manager, there's no reason not to use maximum complexity.
passwd

Step 2: Creating a Non-Root User

Now that we have the root account secured, let's create the account we'll use for standard operations. Always follow the principle of least privilege.
useradd -m -s /bin/bash USERNAME passwd USERNAME

Step 3: Setting Up Sudo Access

I'm a big fan of Debian 12, primarily because of its stability (Ubuntu kept crashing on me during my OSCP report writing - talk about bad timing!). One thing to note with Debian 12 is that sudo doesn't come pre-installed, so we need to add it manually.
apt update && apt install sudo /usr/sbin/usermod -aG sudo USERNAME
If you're using Debian Bookworm, you might need to install sudo separately as mentioned above.

Step 4: Testing User Access

Before proceeding, test the new user account to ensure sudo is working properly. I learned this lesson the hard way when sudo didn't install correctly once - not catastrophic, but definitely inconvenient.
su - USERNAME sudo whoami
You should see "root" returned if sudo is working correctly.

Step 5: Configuring SSH Key Authentication

This step is absolutely non-negotiable. Password authentication alone is insufficient for server security.
On your local machine, generate an SSH key pair:
ssh-keygen -t rsa -b 4096 -C "your-email@domain.com"
I personally always add a passphrase for additional security, though some prefer to skip it for convenience. Once generated, copy the public key to your VPS:
# Standard single key ssh-copy-id user@your-vps-ip # If you have multiple keys (recommended) ssh-copy-id -i ~/.ssh/id_rsa_vpsname.pub user@your-vps-ip
Test the connection:
ssh -i ~/.ssh/id_rsa_vpsname user@your-vps-ip

Step 6: Disabling Password Authentication

Now that key-based authentication is working, we can disable password authentication entirely. This creates a "something you have + something you know" security model, similar to 2FA.
Edit the SSH configuration:
sudo nano /etc/ssh/sshd_config
Modify or add these lines:
PermitRootLogin no PasswordAuthentication no UsePAM no AuthenticationMethods publickey
Save the file and restart SSH:
sudo systemctl restart ssh
Important: Test your key-based login from another terminal before closing your current session!

Step 7: Installing and Configuring Fail2Ban

Fail2Ban is an intrusion detection and prevention system that monitors logs for suspicious activity (like brute-force attacks) and automatically blocks offending IP addresses.
sudo apt install fail2ban
Create local configuration files (never edit the originals):
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Start and enable Fail2Ban:
sudo systemctl start fail2ban sudo systemctl enable fail2ban
Check the status:
sudo fail2ban-client status
If you encounter issues (as I did), you may need to edit the jail.local file:
sudo nano /etc/fail2ban/jail.local
Under the [sshd] section, add:
mode = normal backend = systemd

Step 8: Configuring UFW Firewall

UFW (Uncomplicated Firewall) provides an easy interface to iptables for basic firewall management.
sudo apt install ufw
Basic configuration examples:
# Allow SSH (do this first!) sudo ufw allow 22/tcp # Allow HTTPS sudo ufw allow 443/tcp # Enable the firewall sudo ufw enable # Check status sudo ufw status verbose
Warning: Always allow SSH before enabling UFW, or you'll lock yourself out!
The specific ports you allow depend entirely on your use case. For maximum security, only open ports that are absolutely necessary.

Step 9: Zero Trust Networking (Advanced)

For enhanced security, consider implementing zero trust networking using solutions like NetBird. This creates secure tunnels between your devices and allows you to:
  • Remove direct SSH access from the internet
  • Access services via private network tunnels
  • Implement granular access controls
I chose NetBird over alternatives like Tailscale because:
  • Full self-hosted support
  • GUI for Access Control Lists (ACL)
  • Company-backed self-hosted option (vs. third-party HeadScale)
  • Set-and-forget reliability
After setting up NetBird, you can remove SSH from your UFW rules and access the server only through the secure tunnel.

Additional Security Considerations

While this guide covers the fundamentals, consider these additional hardening measures:
System Updates
# Enable automatic security updates sudo apt install unattended-upgrades sudo dpkg-reconfigure unattended-upgrades
Log Monitoring Monitor system logs regularly for suspicious activity:
sudo journalctl -f sudo tail -f /var/log/auth.log
Regular Backups Implement automated backups of critical data and configurations.

Conclusion

These steps provide a solid foundation for VPS security. The key principles are:
  • Eliminate unnecessary access vectors
  • Implement strong authentication
  • Monitor and respond to threats
  • Follow the principle of least privilege
Remember, security is an ongoing process, not a one-time setup. Regularly review your configurations, apply updates, and monitor your systems for any unusual activity.
Stay tuned for my upcoming articles on advanced Fail2Ban configuration and zero trust networking implementation!