So I have a VPS, and I have no idea how to administer it. I understand one of the first things to do is secure it, and the first concrete step in that direction I've found so far is in moshen's comment:
Also, you should secure your SSH access as soon as possible. I recommend changing the default port, using key-based authentication and disabling password authentication and root logins (basically create a standard user account for you to log in with)
So far, all I know how to do is use my VPS provider's web interface to open a console with root access. So how do I follow moshen's advice?
Best Answer
That's the single biggest argument for managed hosting I've ever seen. Hacked servers are responsible for a large portion of the nonsense that makes the internet a bad place. Hosting phishing pages, spreading malware. If you're going to do this, I hope you do it properly.
To give you some sort of idea of the long term undertaking, I'd read through this: What Can Be Done To Secure Ubuntu Server? There are other questions like it on the site (dozens) with good answers but this one has some nice vast answers.
For SSH, I've been over all of these in long-form on my blog but the key points are:
fail2ban
.Just moving the port will deflect 99.99% of drive-by hacking attempts.
fail2ban
will stop any brute attempts from being viable. Forcing key-based auth means the number of guesses a brute would take is now in the range of billions of billions. Disabling root login and having a harder-to-guess username means they don't even have a username with which to start bruting: they have to brute for the username before they even get to the password element.This results in a fairly secure SSH server. There would have to be a pretty horrific exploit in it for people to get through it... But don't put all your focus on making the door as impenetrable as possible and then ignoring the open window.