I usually keep a close eye on my server's security, but I made a mistake this time. In the past, when setting up my cloud servers, the firewall settings were strict and only allowed traffic on port 443, which I would often remove. But I switched cloud providers and didn't realize that their default settings were much more lenient—essentially allowing all incoming traffic by default unless specified otherwise.
On this new VM, the firewall (ufw) blocks all incoming traffic except SSH. I've configured SSHD for public key authentication only, and thankfully, the logs show that only my key and IP have been successful, despite seeing tens of thousands of failed attempts.
Now I'm wondering if I should be worried about security. Given how much work it would take to delete the server, is it necessary? Also, I'm concerned about whether any non-SSH services might bypass ufw, since I know Docker can do this. Are there any other potential vulnerabilities in a default Ubuntu server installation? I acknowledge that I could check iptables and logs, but if someone compromised the server, they might erase any evidence. The server doesn't hold anything critical and is fairly isolated, but I'm still worried about malware spreading through web pages accessed.
5 Answers
No major concerns here! Using keypair logon on an updated system is pretty secure against regular hacking attempts. Unless there's a nasty zero-day exploit (which isn't common in OpenSSH), you should be good.
SSH with private key authentication is quite secure, even more so than many VPNs that use just a username and password. Just change your SSH port from 22 to something less common, like 4639, to cut down on random connection attempts. Adding Fail2Ban would also help tighten security further.
You probably don't need to delete the server. Just make sure to automate your deployment process to avoid manual errors in the future. That'll save you time and effort going forward!
Since no successful connections got through, you shouldn't be overly worried. But keep in mind that there might still be potential vulnerabilities with default settings on your server. It’s wise to check iptables. But if someone really wanted in, they could erase traces after a breach.
To your question about concern, I wouldn't worry too much. As long as you confirmed it’s set for key-based authentication and there's no compromise there, you're probably fine. But it is concerning that your cloud VPS host defaults to allowing all traffic! That needs to be looked at.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures