So I have a couple of servers in house, so to speak. They work fine but I'm thinking of going online for several reasons. I have some experience in Linux/BSD server admin but literally none in the security aspects of it. I can update the servers with no problem but I'm not sure I understand networking well enough to close off all vulnerable access ports. I won't have terribly sensitive data on these servers (no SSNs, etc.) but there will be privilege docs I need to keep secure. No one will know what's there unless they get in and even then, they probably won't know what they're looking at as I keep things as cryptic as possible until the final few drafts and production docs. Obviously, anything that gets filed is open source anyway. I do client transactions via a separate, secure online portal.

What do I need to know to keep a VPS from becoming a hangout for nefarious individuals?

Following!

Look at using tailscale. It's a VPN that allows you to act as if you're on your own network and not have to open any ports. You can then setup next cloud and connect that to tailscale to be able to access it anywhere.

Using an AWS EC2 might be the way. It's closed off by default and you need to explicitly confirm the ports you want to open. Most other IaaS providers do the same.

Look into Fail2Ban which will ban an IP address if it enters wrong credentials X # of times, then you can set it up for SSH and other web ports.

Also, make sure you set up SSH access using SSH keys key/value pair and not using a password.

I haven't set this up on a VPS, but WireGuard is a superior solution to most VPNs and uses public and private key pairs for login security.

Have WireGuard on a work VPN router and can connect from home easily without a password, but no one else can.

I would suggest Digital Ocean or Linode. Have VPS on both of them.

You can get started for $5-6 per month for a basic server.

danieljustin06 said:

---

Look at using tailscale. It's a VPN that allows you to act as if you're on your own network and not have to open any ports. You can then setup next cloud and connect that to tailscale to be able to access it anywhere.

---

2nd Tailscale here.

Likely free, secure and nothing exposed via open ports.

If you're trying to host a no -public server (no website, etc) that's just going to be fileocument management/access for you and your company or private people ….

VPN in front of it for sure, then with natural firewall. Most online data center solutions like Vultr will offer this.

None of this has anything to with with what OS or Apps you're running on the server… that's secondary.