LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

My Server Was Getting Constantly Hacked Until I Changed This One Parameter

Hacker at WorkIf your server (VPS or dedicated) has been hacked, there is a simple parameter change you an make that will vastly improve its security.  It takes a couple steps to login, but it will protect you against brute force attacks, keyloggers, and other attacks.  And you have a couple of options.

Passwords Suck

It’s 2024 and we’re still using passwords.  We were using them in 1960 and here we are.  Still.

And people are still picking bad passwords.  If your password is 4VZ3rqii9A7@aFUHDQLJggDNsQNbsJ8vJ8bq.aGwB2ed-t26fudkc2B6s.PzC4ut7tTzFMX3yz*ZJ9yc*ve-2ZKfA4-oUuMEBEiw, that’s a lot better than monkey123.  But even then, people have a habit of reusing passwords.  You know how it goes: sure, you’ve got a password manager, but you’re on a different box and you need to reset your password on a forum or site so you use something familiar.  Then a month later, that forum is compromised, the hacker steals the logs, sees you’re using a datacenter IP, realizes you’re coming from a VPN setup on your VPS, and logs in to your system as you with that password.  Pawned.

Or you sign up for a host and have to set your password in their panel.  Then there’s a leak and now the attacker has your root password…

So many problems.  But we can fix this.

Option 1: Two Factor Authentication with Google Authenticator

Yes, it’s not just for your bank anymore!  We did an article on using Google Authenticator with your VPS and it works great.  Works for panel console connections, too, to close the “someone hacked my provider’s panel” exposure.

This setup eliminates password vulnerability.  Even if someone knows your password, they need to have access to your Google Authenticator (which itself is normally protected by your phone’s security, such as a pin, passcode, thumb print, FaceID, etc.)

Option 2: Two Factor Authentication with SSH Keys

Before things such as authenticators were available (or at least before they were free and unencumbered of RSA patents), there were SSH keys.  These are easy to setup.  At a high level:

  1. Generate an SSH key pair
  2. Place the public key in your server account’s authorized_keys file
  3. Disable password-only logins

We’ve done a three-part tutorial on this.  Before you say “OMG, three tutorials,” the commands are simple but we fleshed it out with explanations and verbose examples to guide you.

In Part One, we cover generating keys.  In Part Two, we show you how to login using these keys.  And then we conclude in Part Three with a step-by-step showing you how to turn off password logins.







  1. Peter:

    An interesting alternative to Google Authenticator is Duo.
    In the past I used Duo to secure RDP logins but I think it also works in Linux SSH login.
    It normally works online with push to mobile but also has an offline OTP backup.

    The free version allows up to 10 users.

    February 9, 2024 @ 3:27 pm | Reply
  2. Stefan:

    Come on, just use a god-damn password manager like Bitwarden: https://bitwarden.com/

    February 10, 2024 @ 2:56 pm | Reply
    • Stefan:

      *I forgot to mention that not only Bitwarden supports password generation, but also 2FA (TOTP) and recently, passkey support. It solves all the problem that this post mentioned at one go. I can self-host Bitwarden myself, just did so with fly.io, It’s just really simple with their new unified Docker setup that just need one image! And you have Sqlite, Mysql, Postgres, or the OG SQL Server as database transport. Right now, I did it with their free plan, so it is basically self-hosted Bitwarden free forever (unless they went under which I doubt at this point)

      A new blog post is coming the way if anyone is interested. (Oh wait I didn’t got my blog setup yet)

      February 10, 2024 @ 11:25 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *