Rails 8, Kamal, and Securing Your VPS: The Ultimate Guide to Hardening SSHD

| Shey Sewani | Toronto

It’s an exciting time to be a Rails developer, with recent events like Rails World 2024 and the release of Rails 8 Beta and Kamal 2.

The new features in Rails 8 aim to simplify the deployment of Rails. With the tagline “No PaaS Required,” this release encourages developers to consider VPS over PaaS for their next Rails project.

In line with that philosophy, I’d like to share some of the sshd_config customizations I use to secure my VPS, including those for HTTPScout.io. I’ll also introduce Fail2Ban, a simple tool to further secure SSH access.


Tweaks for Usability:

  1. UseDNS no – Disables DNS lookups on connections. You don’t want DNS issues locking you out of your server.
  2. PrintMotd no – I prefer a clean login screen, which feels faster and less cluttered.
  3. Disable DSA for Host Keys – Skip /etc/ssh/ssh_host_dsa_key because DSA is no longer considered secure.

Tweaks for Security:

  • AllowUsers super deployer – Limit SSH access to just a couple of essential users, e.g., a sudo user and the deployer user.
  • Stick with Default Ports – Use the standard Port 22. One less setting to consider during an emergency.

sshd_config

Here’s the complete sshd_config that includes other commonly applied best practices for PermitRootLogin, PasswordAuthentication, and sftp.

# /etc/ssh/sshd_config

AcceptEnv LANG LC_*
GSSAPIAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
Port 22
PrintMotd no
Protocol 2
Subsystem sftp /usr/lib/openssh/sftp-server
SyslogFacility AUTH
LogLevel VERBOSE
X11Forwarding no
UseDNS no
PermitRootLogin no
ClientAliveInterval 120
LoginGraceTime 3
AllowUsers super deployer

Before restarting sshd, always open a second SSH session as a safety net, because you never know what might happen.


Install Fail2Ban

On Ubuntu, you can install it using:

sudo apt-get install fail2ban

Fail2Ban is a security tool that monitors login attempts and automatically bans malicious IP addresses after several failed login attempts. Its default configuration works well for SSH out of the box, adding an extra layer of security.


This sshd_config + Fail2Ban combo has worked well for me, and I hope it works well for you too.