DewaVPS

Securing Instances

Securing Instances

Securing your cloud instances is critical for protecting sensitive data and ensuring system integrity. Whether you're deploying on Ubuntu or Windows, following a comprehensive set of hardening practices can drastically reduce your exposure to potential attacks. This guide outlines the essential steps for locking down your virtual machines (VMs) with clarity and precision.

Ubuntu Server Hardening

1. SSH Key Authentication

Disable password-based SSH logins to prevent brute-force attacks.

Steps:

  • Generate a key pair:
ssh-keygen -t rsa -b 4096 -C "your@email.com"
  • Copy the public key to your VM:
ssh-copy-id username@vm-ip-address
  • Disable password login in /etc/ssh/sshd_config:
PasswordAuthentication no
PermitRootLogin no
  • Restart SSH:
sudo systemctl restart ssh

2. Configure UFW Firewall

Control network traffic with strict default policies.

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable

3. Regular Updates & Security Patches

Apply the latest security fixes automatically.

sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

4. Fail2Ban Protection

Automatically ban IPs making repeated failed login attempts.

sudo apt install fail2ban
sudo systemctl enable fail2ban --now

5. Principle of Least Privilege

Avoid using root for daily tasks.

adduser youruser
usermod -aG sudo youruser

6. Service Auditing

Disable unnecessary services to reduce the attack surface.

sudo ss -tulnp
sudo systemctl disable --now unwanted-service

7. Log Monitoring

Set up log analysis tools like Logwatch.

sudo apt install logwatch

Windows Server Hardening

1. Secure the Administrator Account

Change the default password and use complex credentials.

net user Administrator "StrongPassw0rd!"

2. Windows Firewall Configuration

Ensure only necessary traffic is allowed.

  • Open Windows Defender Firewall settings
  • Create inbound rules only for required ports (e.g., 3389 for RDP)

3. System Updates

Enable automatic updates for security patches.

  • Navigate to Settings > Update & Security > Windows Update
  • Enable scheduled installs

4. Harden Remote Desktop

If RDP is required:

  • Enable Network Level Authentication
  • Configure account lockout policy via secpol.msc
  • Limit RDP access to trusted IPs
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -name fDenyTSConnections -Value 0

5. Antivirus Setup

Use Windows Defender or a trusted 3rd-party solution.

  • Enable regular scans
  • Turn on real-time protection

6. Account Lockout Policies

  • Open secpol.msc
  • Set lockout threshold, duration, and reset timers under Account Lockout Policy

7. Audit Logging

Monitor activities with Event Viewer and enable alerts for suspicious behavior.

Extended Hardening Practices (All OS)

Database Security

  • Use encrypted connections (SSL/TLS)
  • Remove default/test users
  • Apply least-privilege principles
  • Enable logging and monitoring

Web Server Hardening

  • Use HTTPS with valid SSL certs
  • Disable directory listing and server headers
  • Apply rate-limiting rules and security headers (CSP, HSTS)

SIEM Integration

  • Deploy centralized log collectors (Filebeat, Wazuh)
  • Use alert rules for failed logins, privilege escalations, config changes

Backups & Disaster Recovery

  • Schedule regular, encrypted backups
  • Store offsite (e.g., S3, GCS, external drive)
  • Periodically test restores

VPN Access Control

  • Deploy VPN like WireGuard or OpenVPN
  • Restrict SSH/RDP access via VPN-only routes
  • Disable direct public IP access to sensitive services

On this page

Securing InstancesUbuntu Server Hardening1. SSH Key Authentication2. Configure UFW Firewall3. Regular Updates & Security Patches4. Fail2Ban Protection5. Principle of Least Privilege6. Service Auditing7. Log MonitoringWindows Server Hardening1. Secure the Administrator Account2. Windows Firewall Configuration3. System Updates4. Harden Remote Desktop5. Antivirus Setup6. Account Lockout Policies7. Audit LoggingExtended Hardening Practices (All OS)Database SecurityWeb Server HardeningSIEM IntegrationBackups & Disaster RecoveryVPN Access Control