How to Protect Your Server from Hackers

Although I am an experienced developer, but it so happened that two weeks after registering the server it was hacked.

It is not a hard deal to make your server secure, but when a lot of routines comes, It is possible to forget to do this. In my case, ssh server was hacked in two weeks after I bought it. One morning my mail had a couple of the abuses from third-side people said "something" on my server tried to hack their servers. So, I should solve the problem quickly.

How to find the vulnerability

In my case it was simple. I executed the next command
cat /var/log/auth.log |  grep Accepted
and it returns me a list of successful authorization to my server. From the all returned lines I found one IP that is not my own. So, In my case, the SSH was a source of vulnerability.

Keep in mind about the command
It helps to analyze the latest successful connection.

How to protect server

Briefly about what I needed to do immediately after buying the server.
  • Install ufw - plain firewall;
  • close all server's ports besides SSH(22), HTTP(s) ports;
  • Install and config fail2ban utility. It helps to analyze the /var/log/auth.log and ban some IPs if they make some wrong activity;
  • change sshd config to accept the authorization only by private key.

What to do?

If you were hacked, your server is infected, and you need to know how to research and clean it. The best way - recreating the VPS. That was my case. I had the server at hetzner. From their dashboard, it is possible to recreate (drop and create new) VPS with the same IP in one click. So, I did. After that on my local PC, was generated SSH keys with an ssh-keygen utility (is a part of standard OpenSSH package). The command bellow same for Linux and MacOS.
It creates the pairs of keys in the ~/.ssh directory. After that running
 ssh-copy-id you_user@your_server_id
will upload your "just created" public key to the server. Next step, log in to the server and edit the config file for sshd:
nano /etc/ssh/sshd_config
In the config make changes for PasswordAuthentication variable
PasswordAuthentication no
This instruction close the possibility to connect with the password (only connection with private key accepted)

Installing and tuning ufw and fail2ban

I used ubuntu on server, so installation is
apt install ufw fail2ban
next step open only ssh, https port on server so:
ufw allow ssh
ufw allow 80
ufw allow 443
and enable the ufw:
ufw enable
Next step is configuring the fail2ban utility
# make a copy of default config (this copy will overload default params according to manual)
cp  /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
in there find "banaction = " and set ufw as a value. After that reload fail2ban
fail2ban-client reload
According to this simple config, any three wrong attempts from particular IP get to access to ssh port will ban this IP for 10 minutes. Personally, I changed the ban time for 7 days. How to check the status:
fail2ban-client status sshd
will return in my case

Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	6
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	2
   `- Banned IP list:
You can see, that one IP already blocked by the firewall. Same things possible to see with ufw report:
ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   REJECT           
80/tcp                     ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere           
The fail2ban can be configured to send reports to your email if some IP has been banned.