Anyone Docs
  • 🔷The Documentation For Anyone
    • About
    • FAQ
  • 🔷Relay Setup
    • Get Started
    • Installation and Usage
      • Setting Your Environment
        • Virtualization on Windows
        • Virtualization on macOS
        • Install Ubuntu Server 24.04
        • Server management with SSH in Windows and macOS
      • Install Anon on Linux
      • Install Anon using the apt repository
      • Update Anon and accept terms and conditions
      • Install Anon in Docker
      • Configure SOCKS5 Proxy for Anyone
      • Install Anyone Exit Relay
    • Troubleshooting Common Issues
      • Diagnosing CGNAT and Public IPv4
      • Confirm ORPort Reachability
    • Firewall and Network Configurations
      • Router Port Forwarding
      • Install and Configure Firewall
    • Advanced Configuration and Troubleshooting
      • Configure IPv4 and IPv6
      • DoS mitigation parameters
    • Relay Operator Standards
    • Exit Relay Guidelines
  • 🔷Hardware Setup
    • Setup Guide
    • Description and Specifications
    • Relay Control Panel
      • Home
      • Network Settings
      • Relay Settings
      • Relay Family
      • Proxy Settings BETA
      • Change Password
      • Logs
      • Update
    • Update (Using USB)
    • Update to WEB 3.2.0 (Using UI)
    • Troubleshooting and additional configuration
      • Router Port Forwarding
      • Diagnosing CGNAT and Public IPv4
    • Router Setup
  • 🔷Security and Privacy
    • VPS Hardening
  • 🔷Rewards Dashboard
    • Registering to the Rewards Program
    • Accessing the Rewards Dashboard
    • Using the Rewards Dashboard
    • Rewards Status
  • 🔷Anyone SDK
    • NPM SDK
      • Install NPM Package
      • Run as Library
        • Anon
        • AnonSocksClient
        • AnonControlClient
      • Run from CLI
      • Tutorials
        • Hello Anon World I
        • Hello Anon World II
        • Circuit Control I
        • Circuit Control II
    • Native SDK
      • Anyone Client Releases
      • MAN - Anon Manual
      • Tutorials
        • Anyone Services I
        • Anyone Services II
    • iOS SDK [Beta]
      • Manual Install - CocoaPods
  • 🔷Connect to Anyone
    • Connecting to Linux
      • [Beta] One-Click Linux Setup
    • Connecting to macOS
      • macOS with NPM
      • [Beta] One-Click macOS Setup
    • Connecting to Windows
      • [Beta] One-Click Windows Setup
    • Individual Applications with Anyone
    • Connect Through Hardware
  • 🔷Tokenomics
    • Introduction
    • Token Distribution
      • Token Outflow
      • Other Tokens
    • Relay Rewards
      • Lock Requirement
      • Lock Adjustments
      • Reward Multipliers
    • Additional Roles
      • Authorities and Staking
      • Governance Voting
    • Premium Circuits
      • Premium Circuits
      • Premium Circuits: Metrics
    • Summary
      • Value Accrual Summary
      • Rewards Case Study
    • Appendix
      • M Derivation
      • Risk Equation Derivation
  • 🔷Resources
    • Community and Customer Support
    • Links
    • Token
    • Whitepaper
    • Roadmap
    • API
      • REST
      • [Future] GraphQL
Powered by GitBook
On this page
  • System Hardening and Updates
  • Full system update
  • Disable Unnecessary Services
  • SSH Security
  • Change Default SSH Port
  • Enable Login Banners
  • Disable Root Login (Recommended)
  • Set Up SSH Key Authentication (Recommended)
  • Firewall & Network Protection
  • UFW Firewall
  • Intrusion Detection and Abuse Prevention
  • Fail2Ban
  • Monitoring
  • Install Watchdog (optional)

Was this helpful?

  1. Security and Privacy

VPS Hardening

This guide provides essential practices and tools that VPS operators can use to secure their Linux servers, particularly in exposed or high-risk environments.

Last updated 23 days ago

Was this helpful?

It focuses on practical, executable steps, including system hardening, SSH security, firewall configuration, intrusion prevention, and monitoring. All instructions are tested on Debian-based systems (e.g., Ubuntu), with emphasis on clarity and maintainability.

For Advanced Hardening in an automated script, take a look at: script created by a dedicated member of the Anyone Community.

Let's begin!

System Hardening and Updates

Full system update

Keeping your system fully updated ensures your protection against known vulnerabilities and that all installed packages operate with the latest security patches.

sudo apt update && sudo apt dist-upgrade -y

To enable automatic System Updates: <add instructions or link here>

Disable Unnecessary Services

Reducing your system's attack surface starts with turning off services that aren't needed. Unused services may expose ports or run vulnerable software unnecessarily.

Audit running services and disable those not in use:

sudo systemctl list-units --type=service --state=running

Then disable with this command:

sudo systemctl disable --now <service-name>

Services you can usually disable or mask on a server operating as a relay

Service

Purpose

packagekit.service

Manages automatic updates graphically; not needed for headless CLI-based VPS.

snapd.service

Snap uses additional background daemons and mounts. It’s often unwanted bloat on servers. (Remember to sudo apt purge snapd)

snap.canonical-livepatch.canonical-livepatchd.service

Livepatching isn’t typically used on minimal or ephemeral servers. (It's usually removed by purging snapd)

multipathd.service

Multipath is for SAN and storage setups. Not needed on cloud VPS or simple disk configs.

Services you should usually keep

Service

Purpose

dbus.service

Required by some utilities and desktop components. Harmless and often needed by other services.

getty@tty1.service

Provides login on local TTY; not harmful, but optional to disable in headless environments.

networkd-dispatcher.service

Helps with DHCP Netplan events; required on Netplan-managed systems.

polkit.service

Used for user privilege escalation. Needed if you use desktop tools or sudo based GUI operations; may be safe to disable on hardened CLI-only systems.

ssh.service

Keep for remote access.

systemd-networkd.service

Manages network interfaces; critical for connectivity on minimal systems.

systemd-resolved.service

Handles DNS; often required unless using custom resolvers or DNS tools.

systemd-timesyncd.service

Keeps system clock accurate (important for anon).

systemd-journald.service

System logging; required!

systemd-logind.service

Handles user logins and sessions; usually fine to leave.

systemd-udevd.service

Manages device nodes; needed.

user@1000.service

Your user session; leave it alone.


SSH Security

SSH is the lifeline of remote management, securing it is critical.

Changing the SSH port from the default 22 to a custom value (e.g., 52231) helps reduce exposure to automated scans and brute-force attacks. While not truly secure, it adds a layer of obscurity that can reduce low-effort intrusion attempts.

Edit sshd_config

sudo nano /etc/ssh/sshd_config 

Look for #Port 22 and change it to to anything else, and for the sake of this example we just randomly selected 52231:

Port 52231

Then restart the SSH service.

sudo systemctl restart sshd.service

Login banners warn users that the system is monitored and restricted. These messages can serve legal or policy purposes by clearly stating that unauthorized access is prohibited.

Edit /etc/issue.net with a warning message.

sudo nano /etc/issue.net

Replace the contents and save it with something like:

ALERT! You are entering a secured area! Your IP, Login Time, and Username have been noted and have been sent to the server administrator!
This service is restricted to authorized users only. All activities on this system are logged.
Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies.

Edit /etc/ssh/sshd_config and look for the banner option.

sudo nano /etc/ssh/sshd_config
# no default banner path
#Banner none

Set it to the updated issue.net file.

Banner /etc/issue.net

Restart the SSH Service.

sudo systemctl restart sshd.service

Disabling direct root login via SSH helps prevent attackers from brute-forcing the root account. Instead, users should authenticate with non-root accounts and escalate privileges securely using sudo.

If you've followed the guide so far you already know how to edit /etc/ssh/sshd_config. Set:

PermitRootLogin no

SSH key authentication replaces passwords with cryptographic key pairs, significantly reducing the risk of brute-force attacks. It’s a foundational best practice for secure remote access.

Generate key pair (on a local machine):

ssh-keygen -t ed25519

Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): [Press ENTER] Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): [Press ENTER] Enter same passphrase again: [Press ENTER] Your identification has been saved in /root/.ssh/id_ed25519 Your public key has been saved in /root/.ssh/id_ed25519.pub

Copy public key to the server:

ssh-copy-id -p 52231 user@server_ip

INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub" The authenticity of host 'server_ip (server_ip)' can't be established. ECDSA key fingerprint is SHA256:<redacted>. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes INFO: attempting to log in with the new key(s), to filter out any that are already installed The authenticity of host 'server_ip (server_ip)' can't be established. ECDSA key fingerprint is SHA256:<redacted>. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys ALERT! You are entering a secured area! Your IP, Login Time, and Username have been noted and have been sent to the server administrator! This service is restricted to authorized users only. All activities on this system are logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. user@server_ip's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p '52231' 'user@server_ip'" and check to make sure that only the key(s) you wanted were added.

Try to log in to the server from your local machin with the new key:

ssh -p '52231' 'user@server_ip

On the server, disable password authentication in sshd_config:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes

Set:

PasswordAuthentication no

You can find detailed descriptions of the commands used for this tutorial at:


Firewall & Network Protection

UFW (Uncomplicated Firewall) makes it easy to manage iptables and control which services are exposed to the internet. Setting a default-deny policy and allowing only essential ports helps contain threats and limit exposure.

sudo apt install ufw -y

Default Policy

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow Essential Ports

sudo ufw allow 52231/tcp    # Custom SSH
sudo ufw allow 53/udp       # DNS (if applicable)
sudo ufw allow 9001/tcp     # Example: anon service

Enable the service.

sudo ufw enable

To check the status of UFW:

sudo ufw status verbose

Intrusion Detection and Abuse Prevention

Automated protection against brute-force and scanning behavior.

Fail2Ban monitors system logs for failed login attempts or suspicious behavior, then bans the source IP using firewall rules. It's highly effective for deterring brute-force attacks against SSH and other services.

Find the official documentation and repository for Fail2ban at:

Install Fail2Ban.

sudo apt install fail2ban -y

Configure Fail2ban

Instead of modifying the default jail.conf, create a local configuration.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

In the [DEFAULT] section, adjust the following parameters as needed:

[DEFAULT]
bantime  = 10m
findtime = 10m
maxretry = 5

bantime - Duration an IP is banned (e.g., 10 minutes).

findtime - Time window to count failures (e.g., 10 minutes).

maxretry - Number of allowed failures before a ban (e.g., 5 attempts).

Enable SSH Protection

Ensure the [sshd] jail is enabled.

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

If you've changed the SSH port (e.g., to 52231), update the port value accordingly.

port = 52231

Start and Enable Fail2Ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Monitor Fail2Ban Status

Check the status of Fail2Ban and its jails.

sudo fail2ban-client status
sudo fail2ban-client status sshd

To unban an IP, use the set function:

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

Monitoring

Basic system monitoring helps detect when something is wrong; like resources, failed services, or suspicious activity. Before it becomes a full outage or compromise.

sudo apt install watchdog -y
sudo systemctl enable --now watchdog

Configure /etc/watchdog.conf for system checks like disk, memory, or network loss.

Change Default SSH Port

Enable Login Banners

Suggestion provided on AskUbuntu.com:

Disable Root Login (Recommended)

Read more about typical SSH Key Scanning at:

Set Up SSH Key Authentication (Recommended)

UFW Firewall

When running the , UFW is offered as an option to enable access for SSH and ORPort. Read more about UFW on the official Ubuntu documentation:

Fail2Ban

Install Watchdog (optional)

See Ubuntu Man pages for detailed description on how to modify the configuration file for Watchdog:

🔷
🔹
🔹
🔹
🔹
🔹
🔹
🔹
🔹
🔹
ANyONe-secure-vm-hardening
https://askubuntu.com/questions/420375/how-to-add-legal-banner-in-etc-issue-and-etc-issue-net-in-ubuntu
https://www.ssh.com/blog/ssh-key-scan-attack-honeypot
https://www.ssh.com/academy/ssh/keygen
https://www.ssh.com/academy/ssh/copy-id
https://www.ssh.com/academy/ssh/sshd_config
installation script
https://help.ubuntu.com/community/UFW
https://github.com/fail2ban/fail2ban
https://manpages.ubuntu.com/manpages/xenial/man8/watchdog.8.html