If your server (VPS or dedicated) has been hacked, there is a simple parameter change you an make that will vastly improve its security. It takes a couple steps to login, but it will protect you against brute force attacks, keyloggers, and other attacks. And you have a couple of options.
Passwords Suck
It’s 2024 and we’re still using passwords. We were using them in 1960 and here we are. Still.
And people are still picking bad passwords. If your password is 4VZ3rqii9A7@aFUHDQLJggDNsQNbsJ8vJ8bq.aGwB2ed-t26fudkc2B6s.PzC4ut7tTzFMX3yz*ZJ9yc*ve-2ZKfA4-oUuMEBEiw, that’s a lot better than monkey123. But even then, people have a habit of reusing passwords. You know how it goes: sure, you’ve got a password manager, but you’re on a different box and you need to reset your password on a forum or site so you use something familiar. Then a month later, that forum is compromised, the hacker steals the logs, sees you’re using a datacenter IP, realizes you’re coming from a VPN setup on your VPS, and logs in to your system as you with that password. Pawned.
Or you sign up for a host and have to set your password in their panel. Then there’s a leak and now the attacker has your root password…
So many problems. But we can fix this.
Option 1: Two Factor Authentication with Google Authenticator
Yes, it’s not just for your bank anymore! We did an article on using Google Authenticator with your VPS and it works great. Works for panel console connections, too, to close the “someone hacked my provider’s panel” exposure.
This setup eliminates password vulnerability. Even if someone knows your password, they need to have access to your Google Authenticator (which itself is normally protected by your phone’s security, such as a pin, passcode, thumb print, FaceID, etc.)
Option 2: Two Factor Authentication with SSH Keys
Before things such as authenticators were available (or at least before they were free and unencumbered of RSA patents), there were SSH keys. These are easy to setup. At a high level:
- Generate an SSH key pair
- Place the public key in your server account’s authorized_keys file
- Disable password-only logins
We’ve done a three-part tutorial on this. Before you say “OMG, three tutorials,” the commands are simple but we fleshed it out with explanations and verbose examples to guide you.
In Part One, we cover generating keys. In Part Two, we show you how to login using these keys. And then we conclude in Part Three with a step-by-step showing you how to turn off password logins.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
An interesting alternative to Google Authenticator is Duo.
In the past I used Duo to secure RDP logins but I think it also works in Linux SSH login.
It normally works online with push to mobile but also has an offline OTP backup.
The free version allows up to 10 users.
https://duo.com/editions-and-pricing/duo-free
Come on, just use a god-damn password manager like Bitwarden: https://bitwarden.com/
*I forgot to mention that not only Bitwarden supports password generation, but also 2FA (TOTP) and recently, passkey support. It solves all the problem that this post mentioned at one go. I can self-host Bitwarden myself, just did so with fly.io, It’s just really simple with their new unified Docker setup that just need one image! And you have Sqlite, Mysql, Postgres, or the OG SQL Server as database transport. Right now, I did it with their free plan, so it is basically self-hosted Bitwarden free forever (unless they went under which I doubt at this point)
A new blog post is coming the way if anyone is interested. (Oh wait I didn’t got my blog setup yet)