Added: vps secure setup

Author: imShakil

projects/secure-vps/Fail2ban-to-discord-alerts.md

@@ -0,0 +1,104 @@
+# Fail2Ban Alerts to Discord
+
+A simple guide to setup fail2ban action for sending an alert message to discord channel.
+
+1. Create a Discord Webhook
+   - Go to your Discord Server → Select a channel.
+   - Click Edit Channel → Integrations → Webhooks → New Webhook.
+   - Name it (ex: Fail2Ban Alerts) and copy the Webhook URL.
+   - Example: `https://discord.com/api/webhooks/1234567890/abcdefghijklmnopqrstuvwxyz`
+
+2. Create the Discord Notification Script
+   - install `jq`:
+
+     ```bash
+     sudo apt install jq
+     ```
+
+   - Create the file `/usr/local/bin/fail2ban-discord.sh`:
+
+      ```bash
+      #!/bin/bash
+      
+      JAIL="$1"
+      IP="$2"
+      MATCHES="$3"
+      
+      WEBHOOK_URL="YOUR-WEBHOOK-URL"
+      
+      HOSTNAME=$(hostname)
+      TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
+      
+      MESSAGE="** Fail2Ban Alert**
+      **Server:** ${HOSTNAME}
+      **Time:** ${TIMESTAMP}
+      **Jail:** \`${JAIL}\`
+      **Banned IP:** \`${IP}\`
+      **Reason:** ${MATCHES}"
+      
+      # Send to Discord
+      curl -s -H "Content-Type: application/json" \
+           -X POST \
+           -d "$(jq -nc --arg content "$MESSAGE" '{content: $content}')" \
+           "$WEBHOOK_URL"
+      ```
+
+   - Make it executable:
+
+      ```bash
+      sudo chmod +x /usr/local/bin/fail2ban-discord.sh
+      ```
+
+3. Create a Custom Fail2Ban Action
+
+   - Create `/etc/fail2ban/action.d/discord-ban.conf`:
+
+     ```ini
+      [Definition]
+      actionstart =
+      actionstop =
+      actioncheck =
+      actionban = /usr/local/bin/fail2ban-discord.sh "<name>" "<ip>" "<matches>"
+      actionunban =
+     ```
+
+4. Apply It in Jail Config
+   - Edit /etc/fail2ban/jail.local or create if not existing:
+
+      ```ini
+      [sshd]
+      enabled = true
+      port = ssh
+      logpath = /var/log/auth.log
+      maxretry = 3
+      findtime = 600
+      bantime = 3600
+      action = discord-ban
+      ```
+
+5. Restart fail2ban
+
+      ```bash
+      sudo systemctl restart fail2ban
+      ```
+
+6. Test
+
+     To test, you can intentionally trigger a failed login from a different IP or use:
+
+      ```bash
+      sudo fail2ban-client set sshd banip 192.168.0.1
+      ```
+
+All are done!. You should receive an alert in your Discord channel like below.
+
+```text
+Fail2Ban Alert
+Server: srv627828
+Time: 2025-05-29 00:06:40
+Jail: sshd
+Banned IP: 191.7.190.74
+Reason: May 28 23:53:53 srv627828 sshd[52304]: Invalid user katarina from 191.7.190.74 port 44770
+May 28 23:53:53 srv627828 sshd[52304]: Failed password for invalid user katarina from 191.7.190.74 port 44770 ssh2
+May 29 00:06:39 srv627828 sshd[52915]: Failed password for postfix from 191.7.190.74 port 30736 ssh2
+```

projects/secure-vps/README.md

@@ -1,91 +1,32 @@
-# Fail2Ban Alerts to Discord
-A simple guide to setup fail2ban action for sending an alert message to discord channel.
+# Secure VPS From Bruteforce SSH Attack
 
-1. Create a Discord Webhook
-   - Go to your Discord Server → Select a channel.
-   - Click Edit Channel → Integrations → Webhooks → New Webhook.
-   - Name it (ex: Fail2Ban Alerts) and copy the Webhook URL.
-   - Example: `https://discord.com/api/webhooks/1234567890/abcdefghijklmnopqrstuvwxyz`
+## Secure SSH connection
 
-2. Create the Discord Notification Script
-   - install `jq`:
-     ```bash
-     sudo apt install jq
-     ```
-   - Create the file `/usr/local/bin/fail2ban-discord.sh`:
-      ```bash
-      #!/bin/bash
-      
-      JAIL="$1"
-      IP="$2"
-      MATCHES="$3"
-      
-      WEBHOOK_URL="YOUR-WEBHOOK-URL"
-      
-      HOSTNAME=$(hostname)
-      TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
-      
-      MESSAGE="** Fail2Ban Alert**
-      **Server:** ${HOSTNAME}
-      **Time:** ${TIMESTAMP}
-      **Jail:** \`${JAIL}\`
-      **Banned IP:** \`${IP}\`
-      **Reason:** ${MATCHES}"
-      
-      # Send to Discord
-      curl -s -H "Content-Type: application/json" \
-           -X POST \
-           -d "$(jq -nc --arg content "$MESSAGE" '{content: $content}')" \
-           "$WEBHOOK_URL"
-      ```
-    - Make it executable:
-      ```bash
-      sudo chmod +x /usr/local/bin/fail2ban-discord.sh
-      ```
-3. Create a Custom Fail2Ban Action
-   - Create `/etc/fail2ban/action.d/discord-ban.conf`:
-     ```ini
-      [Definition]
-      actionstart =
-      actionstop =
-      actioncheck =
-      actionban = /usr/local/bin/fail2ban-discord.sh "<name>" "<ip>" "<matches>"
-      actionunban =
-     ```
-    
-4. Apply It in Jail Config
-   - Edit /etc/fail2ban/jail.local or create if not existing:
-      ```ini
-      [sshd]
-      enabled = true
-      port = ssh
-      logpath = /var/log/auth.log
-      maxretry = 3
-      findtime = 600
-      bantime = 3600
-      action = discord-ban
-      ```
-5. Restart fail2ban
-     ```bash
-     sudo systemctl restart fail2ban
-     ```
+1. Disbaled password based authentication and Make sure PublicKey based Authentication is enabled:
 
-6. Test
+    ```ini
+    PasswordAuthentication no
+    PubkeyAuthentication yes
+    ```
 
-     To test, you can intentionally trigger a failed login from a different IP or use:
-     ```bash
-     sudo fail2ban-client set sshd banip 192.168.0.1
-     ```
+2. Better to keep root login disabled:
 
-All are done!. You should receive an alert in your Discord channel like below.
+    ```ini
+    PermitRootLogin no
+    ```
 
-```text
-Fail2Ban Alert
-Server: srv627828
-Time: 2025-05-29 00:06:40
-Jail: sshd
-Banned IP: 191.7.190.74
-Reason: May 28 23:53:53 srv627828 sshd[52304]: Invalid user katarina from 191.7.190.74 port 44770
-May 28 23:53:53 srv627828 sshd[52304]: Failed password for invalid user katarina from 191.7.190.74 port 44770 ssh2
-May 29 00:06:39 srv627828 sshd[52915]: Failed password for postfix from 191.7.190.74 port 30736 ssh2
-```
+    Alternatively, you can allow ssh-key based authentication for root user:
+
+    ```ini
+    PermitRootLogin prohibit-password
+    ```
+
+3. If it's still asking password when key doesn't match then forecuflly disabled by setting:
+
+    ```ini
+    AuthenticationMethods publickey
+    ```
+
+4. Finally, If possible change the default port `22` to something else. It's hard to guess someone which port ssh using in this case. Checkout [sshd_config](./setup-sshd-config.md)
+
+5. (Optional): Use third party tool `fail2ban` to monitor and ban IP from suspect attack. See [How to Setup Fail2ban and connect with Discord](./Fail2ban-to-discord-alerts.md) to block IP and sending alert as action.

projects/secure-vps/setup-sshd-config.md

@@ -0,0 +1,130 @@
+# Secure SSH Connection
+
+```ini
+#AllowUsers fpt gitlab
+
+# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#X11Forwarding no
+#AllowTcpForwarding no
+#PermitTTY no
+#ForceCommand cvs server
+PermitRootLogin no
+# yes prohibit-password
+AuthenticationMethods publickey
+```