nikkeyl
  • Telegram

VPS security, Nginx configuration, UFW, users, and SSH login

VPS security, Nginx configuration, UFW, users, and SSH login

29

3 min.

Prerequisites

We will need nginx and docker to work. If they are not already installed, run the following commands:

sudo apt update && sudo apt install nginx docker.io -y

Or check if they are installed:

docker --version && nginx -v

Initial user configuration

Never work as the root user. Let's create a new user and give them administrator rights.

  • Adding a user:

    adduser user  # Replace ‘user’ with your name

    The output will look like this: Adding user ‘user’ ... Enter new UNIX password: (enter your password; characters will not be displayed).

  • Granting privileges and checking:

    usermod -aG sudo user
groups user

    Expected output: user : user sudo.

Configuring SSH key authentication

This is the most reliable way to protect against brute force attacks.

  1. If you already have an SSH key on your computer, simply send it to the server:

    ssh-copy-id user@server_ip

  2. If you don't have a key, create one:

    ssh-keygen -t ed25519 -C “user@vps”
# Then send it using the ssh-copy-id command above

Disabling password login and root access

Now, let's disable any other login methods except for your key.

  1. Open the config file: sudo nano /etc/ssh/sshd_config

  2. Find and change (or add) the following lines:

    • PermitRootLogin no - prohibits direct login to the system as root via SSH;
    • PasswordAuthentication no - Disables the ability to log in to the server using a regular password;
    • ChallengeResponseAuthentication no - Disables challenge-response authentication;
    • UsePAM no - Disables the use of the PAM (Pluggable Authentication Modules) module for SSH.

  3. Restart the service: sudo systemctl restart ssh

Now, when you try to log in as root, you will see: root@ip: Permission denied (publickey).

Configuring the Firewall (UFW)

The firewall blocks all ports except those that we allow.

PortProtocolPurposeWhy is this important?
22TCPSSHRequired! Without it, you will lose connection to the server.
80TCPHTTPStandard port for Nginx.
443TCPHTTPSSecure port for SSL traffic.

For greater security, change the port for SSH to another one, and also add it to the UFW config!

Configuring UFW:

sudo ufw enable
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw status

The output of the status command should be as follows:

Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere

React2Shell vulnerability in Next.js

React2Shell is a critical vulnerability that allows hackers to execute their code on your server via React forms. 69% of all cloud instances on Next.js are at risk.

How to check for a breach?

Check the list of processes and files. Suspicious signs:

  • Files in the system: ssh.sh, sex.sh, kai.tar.gz, httd.
  • The xmrig process (miner, loads the CPU to 100%).
    • You can check this with the top or htop command.

Ways to protect yourself

  1. Update Next.js: Urgently update to secure versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.

  2. Node.js 24: Use the new Node permissions model to restrict file access.

  3. Secure Docker:

    • Run containers with the --read-only flag.
    • Remove root execution from Dockerfile, use USER node.
    • Configure container access to internal resources only (Whitelist).

  4. If you have been hacked: Remove infected subdirectories/containers, clear caches, and be sure to change all secret keys and passwords.

Similar categories:

Similar articles

  • GuidesHow to use Vite with VPN enabled, quick solution

    How to use Vite with VPN enabled, quick solution

    Solves problems with Vite working when VPN is enabled, connection settings, to avoid redirecting local traffic to the VPN tunnel

    29

    2 min.

Contact me

Project type*