Congratulations on acquiring your new cloud Virtual Private Server (VPS)! As you prepare to deploy your application on the server, it is crucial to prioritize its security by taking the necessary steps. Start by safeguarding it against potential vulnerabilities originating from the cloud provider, and then focus on protecting it from external threats originating from the wider network.
This blog is about raising awareness of these “hacky” methods that the cloud providers may use to enter your VPS even if you have changed the password!
Generally, there are two types of VPS you can order
- Container-based VPS, also known as shared kernel VPS, relies on containerization technology for hosting. In this type of VPS, the cloud provider maintains complete control over the kernel, which limits your ability to secure it against unauthorized access. As a result, you have limited control over the kernel, leaving the cloud provider with the freedom to exercise their own discretion and make modifications as desired.
- A dedicated virtual machine (VM), the VPS acts as an entirely independent virtual environment, offering you complete authority and control. You have the freedom to customize and manage the operating system, kernel, and networking elements according to your specific needs. This level of control empowers you to configure the VPS to align precisely with your requirements and preferences.
As stated in the introduction, this blog will shed light on lesser-known yet crucial steps that are often overlooked after deploying your cloud VPS.
Step 1: Changing your VPS password
The VPS setup password you provide to cloud providers is stored in their database. It is vital to promptly update the root/user password of your VPS as a precautionary measure. This is crucial because, in the unlikely event of unauthorized access by a cloud provider employee, your VPS could be compromised. Furthermore, while the risk is minimal, there is a small potential for the cloud database containing all the VPS passwords to be compromised. By taking immediate action to update your VPS password, you proactively address these security concerns and enhance the protection of your VPS.
|$ sudo passwd root
This command allows you to change the password for the specified user, in this case, the root user.
Step 2: Changing default SSH Keys
The default SSH keys are the cryptographic key pair generated during the installation of an SSH server or the VPS in our case. This key pair consists of a private key and its corresponding public key.
When the cloud provider installs or clones our VPS from a template image, it typically generates a new default set of SSH keys for the VPS, often handled by the cloud initialization process. However, without conducting a thorough investigation, it is difficult to confirm whether these keys are indeed generated.
To ensure maximum security, it is advisable to regenerate all SSH keys as a precautionary measure. This is particularly important if there is a possibility that the cloud provider uses the same key for every VPS. Such a scenario raises significant concerns since anyone with access to the identical key set (i.e., VPS instances originating from the same template image) could potentially gain full access to your VPS, posing a considerable security risk.
It’s important to note that the default SSH keys are unique to each server or client installation. These keys should be kept secure and not shared with others. Additionally, it is considered a security best practice to periodically rotate or regenerate SSH keys to ensure the highest level of security.
|$ sudo rm /etc/ssh/ssh_host_* && sudo ssh-keygen -A
The provided commands serve the purpose of regenerating SSH host keys on a Unix-like system. Here’s an explanation of each command:
1. `sudo rm /etc/ssh/ssh_host_*`: This command uses `sudo` to run with administrative privileges. It removes the existing SSH host keys stored in the `/etc/ssh/` directory. The `ssh_host_*` wildcard expression matches files with names starting with `ssh_host_` followed by any characters, representing the various types of host keys.
2. `sudo ssh-keygen -A`: This command also runs with administrative privileges using `sudo`. It regenerates all missing SSH host keys by invoking `ssh-keygen` with the `-A` option. The `-A` flag instructs `ssh-keygen` to generate keys for all available algorithms and key types(rsa1, rsa, dsa, ecdsa and ed25519).
In summary, the combination of these commands removes the existing SSH host keys and generates new ones for all supported algorithms and key types, ensuring a fresh set of host keys is in place. This procedure is useful for enhancing the security of SSH connections and mitigating potential risks associated with compromised or outdated host keys.
Finally, you need to restart the SSH service on the VPS:
|$ sudo systemctl restart sshd.service # sometimes is called ssh or openssh-server
When attempting to connect to the VPS from the same client, you may encounter a warning message indicating that the fingerprint of the SSH host key does not match the previous one. This message serves as confirmation that the keys have been successfully updated in our case.
Our security recommendations extend beyond the ones mentioned here, and it is essential to remain vigilant about other potential risks. It is crucial to adhere to best practices and prioritize safety at all times.
Thank you for reading this, hopefully you have learned about a new issue before it is too late.