hi, i'm aozora!

sysadmin ∙ sysengineer ∙ cybsec

< Back
Blog Image
Inside My VPS
Feb 9, 2025

The Fundamentals

How bad of an idea could it be have the way I've setup and secured my own Virtual Private Server (VPS) publically exposed on the internet? Doesn't take you too much to understand it's a terrible idea, but I love terrible ideas, so I'm doing it nonetheless.

This whole System has been months in the making, and now that I've finally reached a point where I'm (somewhat) happy with what I have, I figured out I could help someone by explaining what, how and why I did everything the way I did.

The Beginning

I initially found about the free Oracle VPS in a video talking about how to setup your own free VPN. Back then, I had pretty much NO experience with anything technical, but most importantly, I was a minor, so I couldn't create an Oracle Cloud account. I left that to be, and picked it up later, when I was already a University Student.

After setting up said OpenVPN, I got bored, and I wondered: What else can I do with this? I mean, I've got my own, free, 24/7 4x Core, 24gb RAM ARM VPS, SURELY there's more I can do. Right?

Then I started wondering: "Well, I can create my own Cloud, and setup a Backup Server!" - No, I've only got 50gb of Storage (Around 22gb now, after OS and Services); "Maybe I can host (something) - Nop, don't know how to do that; "Well, then I can do (something)" - Nop, doesn't run on ARM CPUs. Well, obviously, for Oracle to be offering free stuff, there HAD to be a caveat, right? I guess this was it. As of now, compatiblity with ARM CPUs is still quite limited by (some) software.

I then decided I would do what most people do: Setup a Simple Webserver; Setup a Minecraft Server; and everyone in a while, if I needed to run something that needed a little bit more power, I could use this VPS. However.. The Minecraft Server didn't quite really go as planned.

Firstly, I asked my friendgroup if everyone had a Minecraft Account, or if we needed to be in offline mode. Aaand we had to. Since it was a silly private server, I didn't even bother to setup an authentication method, none of us would try to steal from eachother anyway. But the problem wasn't us. You see, I wasn't familiar with Minecraft Server Scraping (I quite literally had no idea this existed!), and, literally, 2 days after opening the server, we got the little stuff we had built grief by some random edgy Griefing Team.

That really opened something on me: I knew it was vulnerable, I knew how to fix it, I just didn't care enough to secure it. However, what if the WHOLE VPS was also vulnerable? As far as I knew, it wasn't. But I decided I had to be SURE, it wasn't.

Setting Up Security Measures

First of all, I started by ditching OpenVPN and switching to a WireGuard tunnel. Was it more secure? Kinda, but it allowed me to have granular access to it, and also grant more people access if needed.

Then, for the Minecraft Server (yes, I will be including this here!) I immediately changed the port I was running the server on, since that's how the bots find the vulnerable servers, and added a secure Authentication Method. I also enabled the WhiteList feature for added security. I couldn't resist trolling a bit, just like the good old days: I found some of their socials and poked a bit at them, but they were not able to even connect to my server anymore. I guess I had won uh?

Since I was still worried about the whole VPS being compromised, I also took some Security Measures regarding it's Administration:

• There is now no way to remotely connect to the VPS unless you were inside the network

This insured you had to be connected through a Secure Tunnel to it's Network. So you had to compromise not only my log-in credentials, but also my VPN connection.

• The SSH access was HEAVILY controlled

After this, access was no longer possible through a password, but rather through a key-file. Now you had to compromise my VPN and somehow get access to my key-file.

• Banning Port Scans

First I thought about Suricata; but ended up setting for psad to block nmap scans. So far it's been working great!

Opening it to the Public!

The webserver

This Web Site was certainly an (welcome) adventure! Since I was working with Monitoring Tools on the Internship I was doing when I setup this final itteration of the VPS, that's what I initially planned on running. However I quickly noticed.. there was nothing really to monitor. So I decided to setup a simple webserver.

After that, I decided to play a bit with port-forwarding on Oracle's "Firewall", and I ended up setting up a basic HTML page, just to ask some people if they could access it. After doing that, there was a constant feeling of "If only I had a domain" in my mind.

Then I started searching for free domains, which I quickly found out didn't exist (anymore). And then I found out about free SUBdomains, which were mostly fine except for a somewhat big caveat for more technical users. For me, the biggest one, was that I couldn't add it to Cloudflare.

I ended up sticking with a poorly made website and a free subdomain that wasn't that bad. In all honesty, I was quite happy with it: I learnt a lot about web-dev and DNS Setup. But then, while scrolling on Twitter, I found: is-a.dev; a free subdomain project for devs! Well, I'm not a dev. But I work in IT so, close enough!

So that was it, I created my Github account, learnt how to fork repos, and pushed my request to add aozora.is-a.dev. That was taken. aoozora.is-a.dev is it, then!