Back to Overview

The BrickLink Vault: Securing your VPS

As soon as a new server goes online, automated bot networks start scanning it for vulnerabilities. Since Bricksync only needs to communicate outwards, we can lock your server down like a vault. In 15 minutes, you can make your system invisible to attackers.

IMPORTANT WARNING: Only for dedicated Bricksync servers!
This tutorial assumes that only Bricksync is running on this server. Do you also run a website (e.g., a WordPress blog, shop) or an email server on this same machine?

Then please stop here! If you execute Step 4 (the firewall) exactly as shown, your website will instantly disappear from the internet because we radically close all ports.
Preliminary info for this tutorial:
For this tutorial, log in via PuTTY using your normal user (e.g., bricksync) that we created in the installation guide. Because we are changing deep system settings, we prepend every command with sudo – this gives you administrator rights for that single command.

1 The Autopilot for Updates

A secure system is an updated system. First, we install all pending updates, and then we set up "Unattended Upgrades". This allows the server to install critical security patches completely automatically at night.

Bring the system up to date:

sudo apt update && sudo apt upgrade -y

(Note: If a purple screen appears asking about services, just press "Enter" to confirm the default selection.)

Enable automatic security updates:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

A pink/blue screen will appear. Use the arrow keys to select "Yes" and press Enter.

2 The Digital Bouncer (Fail2Ban)

Bots try different passwords every second ("Brute-Force Attack"). The program Fail2Ban stops this: If someone enters the wrong password too many times, their IP address is completely blocked for 24 hours. 

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

That's it! Fail2Ban is immediately active and protects your server in the background.

3 Securing SSH (Port & Root)

Almost all attacks target the default port (22) and the default user (root). We will change both. We are moving the access to port 54321 and forbidding direct logins as "root" from the internet. 

sudo nano /etc/ssh/sshd_config
How to adjust the file:
1. Find the line #Port 22 (often near the top).
2. Remove the hash symbol (#) and change the number to 54321. (The line should now read: Port 54321).

3. Press CTRL + W, type PermitRootLogin, and press Enter.
4. Change the line from PermitRootLogin yes to PermitRootLogin no.

5. Save with CTRL + O (Enter) and exit with CTRL + X.

4 Raising the Firewall (UFW)

Before we activate the changes from step 3, we MUST tell our server that the new port 54321 is allowed through the firewall. If we forget this, we will lock ourselves out!

Copy this entire block and press Enter:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 54321/tcp
sudo ufw enable

(If a warning "Command may disrupt existing ssh connections" appears, type "y" and press Enter.)

Your server now blocks all incoming traffic from the outside, with the sole exception of your new, secret SSH port.

5 Activate Changes & Test

Now we enforce the new security policies by restarting the SSH service.

sudo systemctl restart ssh
DO NOT CLOSE YOUR CURRENT WINDOW YET!
Keep this PuTTY window open. Open PuTTY a second time to test if the new access works. If you made a typo, you can easily fix it in the first (still active) window.

The test in the new window:

  • In PuTTY, enter your IP address under Host Name (or IP address) again.
  • Change the Port field (usually right next to it) from 22 to 54321.
  • Click "Open" and log in as bricksync.

Did it work? Perfect! You're in. You can now safely close the old PuTTY window. Your server is now an invisible vault to the outside world, automatically installing security updates and locking out attackers.

FAQ & Emergency Exit

Locked yourself out or feeling unsure? Don't panic!

Help, I can't log in as "root" anymore!
This is exactly as intended and protects your server! You can and should now always log in as bricksync.

But I need root privileges, what now?
No problem. Log in as bricksync. When you want to run a command as an administrator, simply put sudo in front of it.

If you want to permanently switch to root mode (e.g., because you have a lot of configuring to do), just type:
sudo su -
After entering your password, you are instantly the root user again.
How do I undo the root block?
If you really want to allow direct logins over the internet for the root user again (not recommended):

1. Log in via PuTTY.
2. Open the configuration: sudo nano /etc/ssh/sshd_config
3. Change the line PermitRootLogin no back to PermitRootLogin yes.
4. Save (CTRL+O, Enter) and Exit (CTRL+X).
5. Restart the service: sudo systemctl restart ssh
How do I change the port back to 22?
1. Open the configuration: sudo nano /etc/ssh/sshd_config
2. Change Port 54321 back to Port 22.
3. Save and Exit.
4. IMPORTANT: Allow Port 22 in the firewall: sudo ufw allow 22/tcp
5. Reload the SSH service: sudo systemctl restart ssh
I also have a website on the server. What about the firewall?
If you run a web server (like Apache or Nginx for a homepage) alongside Bricksync, you must open the appropriate ports for visitors from the internet before you enable the firewall.

In addition to the commands from Step 4, run the following:
sudo ufw allow 80/tcp (for HTTP)
sudo ufw allow 443/tcp (for HTTPS / SSL)