If you haven't already, Sign up for BitLaunch here to quickly create an anonymous VPS.

An anonymous VPS can do a lot for your privacy, whether you're blogging about something controversial, providing a service that's typically frowned upon, or are just a private person. However, the privacy of your server is directly linked to its security – if an unauthorized party gains access, they may be able to extract any personally identifying information you've left behind.

At BitLaunch, we put a lot of work into making our servers secure, but there are also some steps you can take to ensure your anonymous VPS remains just that. In most cases, these changes take only a few minutes but could save you from major headaches down the line.

Keep Your Anonymous VPS Updated

It almost goes without saying, but keeping your server updated is vital for maintaining its safety over time. The security landscape is ever-evolving and new threats and vulnerabilities emerge. Whether it's a critical vulnerability or a minor software one, keeping up with the latest security patches will give you the best possible chance at survival. In many cases, vulnerabilities are patched before they even become public, so frequent updates ensure your system is safe before they're announced, instead of after attackers already know about them.

The exact method to update and deploy security patches will depend on your distribution. Ubuntu users, for example, should get in the habit of running sudo apt update and sudo apt upgrade whenever they SSH into their VPS, followed by sudo reboot to apply any kernel updates. Generally, you should make sure updates don't have any serious reported issues before applying them.

If you don't log in to your system regularly, automatic security updates can be a good idea. In Ubuntu 20.04, you can enable automatic updates via unattended upgrades:

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

You can then runt through the interactive installer to configure your options. For CentOS, you should be using yum-cron.

However, it's worth noting that whatever your distribution, automatic updates can have disadvantages. As the system does not automatically restart, users may assume they're safe when in reality kernel updates have not been applied. They can also lead to downtime of services, which can cause problems if you rely on them 24/7. Finally, some packages can have bugs and you won't be able to vet them before they're installed. As a result, it's often best to limit automatic updates to security ones.

Don't Log In as Root

The default user given to BitLaunch customers is root, giving you the privileges required to configure your server to your heart's content. However, it's good security practice to create a limited account that has to ask for permission via sudo to do any administrative tasks. You should then use that account each time you use your anonymous VPS.

In Ubuntu, type:

adduser limited_user

Enter a secure, unique password, then type add user limited_user sudo to add it to the administrator group.

In CentOS, you can perform the same functions with the commands:

useradd limited_user && passwd limited_user
usermod -aG wheel example_user

Type exit on either distribution to log out after creating the user, then replace root with the new user in your SSH client.

Keep your SSH Access Secure with an SSH Key

You'll have noticed that BitLaunch's anonymous VPS service uses a password for SSH connection by default for convenience's sake. However, we recommend the creation of an SSH key instead as they aren't sent to the server and their 4096 bit length makes brute force attacks all but impossible.

You can follow our previous guide to create an SSH key using the open-source PuTTy and this one to find out how to create a key and add it to your BitLaunch account.

After creating a limited account and testing your SSH key, it's a good idea to make some changes to the SSH daemon for further protection. Now that you have SSH key authentication set up, you can disable SSH password logins and root login by editing the /etc/ssh/sshd_config file with your favorite text editor:

cd /etc/ssh
nano sshd_config

Add the following line under # Authentication to turn off root login via SSH:

PermitRootLogin no

You can instead use sudo to run commands or su - root followed by the password from your limited user.

Under # To disable tunneled clear text passwords, change to no here!, modify the line to the following:

PasswordAuthentication yes

If you only use IPv4 or IPv6 to connect your SSH into your server, rather than both, you can also disable the one you don't use. Look for the #Port 22 comment and modify the line under it from AddressFamily any to:

AddressFamily inet for IPv4 only

OR

AddressFamily inet6 for IPv6 only.

You'll want to restart your SSH service with sudo systemctl restart sshd or sudo service sshd restart if you're on CentOS 6/Ubuntu 14.04.

To harden your SSH further, configure Fail2Ban using our previous guide to ban IP addresses from logging into your anonymous VPS after too many failed attempts.

Configure Your Firewall

Though attackers these days have the ability to get around a firewall, they present another barrier to access, preventing network mapping and acting in combination with the other techniques we mentioned to prevent intrusions.

A properly configured firewall will only allow the traffic necessary for your anonymous VPS' operation, denying everything else. In most Linux distributions, this can be achieved via the use of Iptables. FirewallID is used for iptables configuration on CentOS/Fedora, while UFW is used for Debian and Ubuntu for easier management.

Scrutinize Your Network Services

Your Linux distribution is likely running various network-facing services that you don't need. These can be removed to give an attacker fewer avenues for attack without affecting your operation.

You can type sudo ss -atpu to get a list of running network services:

List of network services in the command line via atpu

You should make sure you don't remove your SSH service (sshd), and also avoid the removal of system services like dnsmasq and systemd-resolved. They rarely listen outside of localhost anyway. You should remove services that you're no longer using, though.

In our case, some of our Plex Media Server services further down are listening for any incoming IP address on any port (*:*). We're no longer using the VPS as a media server, so we can remove the listening service with:

sudo apt purge plexmediaserver

We can then check our services with sudo ss -atpu again to verify the removal:

The services output in command line via atpu

Conclusion

Performing the basic steps above will significantly improve the security of your anonymous VPS, but you may want to harden it further depending on your use case with intrusion detection software, by modifying the permissions of certain files, and more.

We also recommend that you enable two-factor authentication for your BitLaunch account and regularly check the account history for suspicious logins. More generally, developing a security-first mindset for everything you do on your server will ensure you don't trade safety for convenience. So update any passwords regularly and keep an eye on the latest security news.

Need a VPS provider that cares about protecting you? Sign up for BitLaunch here.