Hello everyone!
With cyber-morons trying to attack people’s Virtual Private Servers, securing your own becomes more and more vital nowadays. In this little tutorial, I will show you how you can secure your CyberPanel VPS from anyone trying to gain SSH access to it.
First and foremost, regardless of the distro you have on your VPS, CyberPanel uses RedHat’s FirewallD. This is more expansive than UFW, but you can much easier lock yourself out of your system if it’s not configured correctly.
A few words on FirewallD first.
FirewallD works with a variety of pre-defined zones (you can also add them, but it is not necessary). The one we shall need is the Public zone. When you perform a change, it applies it on its current configuration, also known as runtime. What that means is that the next time you reboot your VPS, those settings will disappear. Thus, when issuing commands to FirewallD, it is important to inform it to also apply it on its Permanent configuration.
So, let’s get started!
SSH into your VPS as you normally would, via your non-root user. Once you’re in, go right ahead and become root by typing:
sudo su -
Your first step would be to select a new port. Jot that down, as a system has exactly 65535 ports, so it’s easy to forget. Since this forum is public, I will not give you a recommended range. Just jot down a number between 20,000 and 65,000. We shall call this Port_Number.
Now, time to implement that Port_Number to your SSH configuration first.
nano /etc/ssh/sshd_config
High up on the file, you will find:
#Port 22
Remove the # symbol and replace the 22 with your desired Port_Number.
Once done, hit CTRL+O and Enter to save. Then, press CTRL+X to exit.
Don’t restart the SSH service just yet. We’ll need to talk to Mr. Firewall first.
What we will need to do is open up the Port_Number you selected (never make it public for any reason) and then shutdown Port 22.
To add the new port:
firewall-cmd --zone=public --permanent --add-port=Port_Number/tcp
Remember to replace Port_Number with your actual number.
Once you execute, the new port will be open.
To remove the SSH default port 22:
firewall-cmd --zone=public --permanent --remove-port=22/tcp
And this will terminate the default port.
Now, you are able to execute:
systemctl restart sshd
systemctl restart firewalld
Once that is done, you can safely exit by typing exit
and hitting enter twice. Once to leave root mode and one to disconnect.
From there on, you can connect to your VPS by declaring your new port, otherwise, it will keep on trying for the 22, which is now disabled. The command to enter your VPS via the new port is:
ssh -p Port_Number username@IP_Address
Replace Port_Number with your selected port, username with your non-root user you have for your VPS, and the IP_Address with the IP address of your VPS.
You should be all set and even more secure than before.