Tags: web hosting vps linux system administration

Setting up a VPS in minutes

Upon subscribing to a VPS service, you should spend some time to secure it before you start using it. This article will go through some basic steps to help you with that. I’m using Debian 11, but the process will be extremely similar on any other Linux distro, with the package manager usually being the only difference (other distros won’t necessarily be using apt).

Creating a new user

After signing up for their services, your VPS provider will typically send you credentials for logging in with your root user. In practice, using the root user for anything but the initial setup can lead to security breaches and various other security problems. That’s why you should create a new user.

Log in as root

ssh root@<your server ip>

Change root password

passwd

Change the hostname

The default hostname is most often a randomly generated string. I like changing that to something more readable.

echo "yournewhostname" > /etc/hostname
hostname -F /etc/hostname

Update your system

Get the latest versions of installed packages and new security patches:

apt update
apt upgrade

Some VPS providers pre-install things like Apache Web Server or even the whole LAMP stack. You should remove that in this step (unless you need it).

Install sudo

In order to manage your server, your new user account will need sudo powers. For that, you first need to install sudo.

apt install sudo

Create a new user

I will be using manager as the new user name throughout this text, but you can use any name you want.

adduser manager

# Optional
mkdir /home/manager
mkdir /home/manager/.ssh
chmod 700 /home/manager/.ssh

Set a password for new user (for use with sudo command)

passwd manager

Set a default shell for the new user

I will use bash here, but you can use any other shell such as zsh or fish, provided that you first installed it.

usermod -s /bin/bash manager

Add new user to sudo group

This will grant administrative privileges to the new user, so that you can run commands using sudo.

usermod -aG sudo manager

Normally you need to exit and re-login to the shell in order to run commands as the new user and utilize group permissions. To avoid having to do that, use the following command:

exec su -l manager

Now you’re logged in as the new user.

Securing SSH

Enable SSH key authentication and disable password authentication

SSH keys are generally regarded as a more secure authentication method than passwords because they contain and require more information. But, using an SSH key only makes sense as long as you have a long and secure passphrase protecting your key.

First, create an SSH key on your local machine:

ssh-keygen -N "mysupersecretpassphrase" -t ed25519 -C "mydesktopcomputer"

When prompted, enter a path (on your local machine) under which you want the key to be saved. I’ll assume you named your new key id_ed25519.

Copy the contents of id_ed25519.pub file from your local machine to your server’s authorized keys file.

nano /home/manager/.ssh/authorized_keys

Changing the permission of the authorized_keys file is required because SSH server ignores the file if it does not have the correct permissions. Let’s set the right permissions based on the principle of least privilege:

chmod 400 /home/manager/.ssh/authorized_keys
chown manager:manager /home/manager -R

Enforce SSH key logins, disable password login and disable root login

Check if the directory /etc/ssh contains a file with ed25519 in its name. If not, create the file with:

sudo ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -N '' -t ed25519

Open the SSH configuration file /etc/ssh/sshd_config and uncomment the following line:

HostKey /etc/ssh/ssh_host_ed25519_key

Save the change and restart the SSH server:

sudo systemctl restart ssh

Open the SSH configuration file /etc/ssh/sshd_config again and change these lines (or uncomment, or add them if missing) to match those below:

PermitRootLogin no
PasswordAuthentication no
AllowUsers manager

Save the file and restart the SSH server:

sudo systemctl restart ssh

Close the SSH connection and try to login with your key:

ssh -i <user_home>/.ssh/id_ed25519 manager@<ip_address>

Change default port

First, make sure that you do not accidentally choose a port that is used by another service. The following command lists all currently running services that listen on a port:

ss -tulpn | grep LISTEN

Uncomment the Port line in the SSH configuration file and set it to a random port. I set it to 12345.

Port 12345

Disable Protocol 1

SSH protocol standard has two versions: 1 and 2. It is recommended to use protocol version 2 because, you’ve guessed it, it’s more secure. Insert the following line in the configuration file:

Protocol 2

Log in with your new user account

Restart the SSH server again to apply all the changes:

sudo systemctl restart ssh

Log out of your server, and then try logging in again:

ssh -i <user_home>/.ssh/id_ed25519 -p 12345 manager@<ip_address>

Setting up a basic firewall

Install the firewall

First thing you should know is that you should use only one firewall. Sometimes your VPS provider will offer their own firewall service that is turned on by default. You will have to pick bitween using their firewall or enabling your own.

The default firewall on most Linux distros is iptables. Since it’s pretty complicated to manage, a lot of people (including me) use another program called ufw, which is a frontend to iptables that makes it simpler to use and add custom rules.

Install ufw by running:

sudo apt install ufw

Make sure that IPv6 is enabled by changing the ufw config file:

sudo nano /etc/default/ufw

Set IPv6 property to yes.

IPV6=yes

Enable ports/services

Opening new ports and services is very easy with ufw:

sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable

These commmands will enable ports for HTTP, HTTPS and SSH traffic and then reload ufw to apply the changes.

If you’re using any other services, such as a mail server, you will have to enable them too.

In the end check your firewall’s status by running:

sudo ufw status

Setting up automated security updates

To keep the server current with the latest security updates automatically, you should install unattended-upgrades package and then edit the /etc/apt/apt.conf.d/10periodic configuration file.

sudo apt-get install unattended-upgrades
sudo nano /etc/apt/apt.conf.d/10periodic

Update this file to match the following lines (this will enable unattended-upgrades):

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Next, you will disable normal updates and only enable security updates. You can also keep the normal updates, but have in mind that you are then risking the possibility of breaking some dependencies or installing software that brings new features/bugs. Open the config file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Make this be the entire contents of the file:

Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESM:${distro_codename}";
//"${distro_id}:${distro_codename}-updates";
//"${distro_id}:${distro_codename}-proposed";
//"${distro_id}:${distro_codename}-backports";
};

If you want Debian to automatically upgrade everything uncomment all ${distro_id}:* lines.

Installing fail2ban

Fail2Ban is a program that helps to prevent malicious attempts at gaining control of your server. It scans system log files for suspicious activity, and bans suspicious IP addresses from querying your server. Installing it and using it with the default settings is as easy as running:

sudo apt install fail2ban

Fail2Ban comes with a sane default configuration, so most users can install it and just leave it as is. That’s what I do anyway.

Next steps

You are now done with setting up your VPS! There’s always more to do if you have the will and the time, but this should be enough for a basic setup. You can now install that full-stack app you wanted to show to everyone, or a Factorio server to play with friends or maybe self-host some web apps for yourself…

Ideas for further improvement

If you’re willing to put in extra time to secure access to your server, you could also do some of these things:

Useful tools

Sources