How to Setup a VPS
1. Order a VPS
https://www.hetzner.com/cloud/
2. Login and update
SERVER_IP=10.11.12.13
ssh root@${SERVER_IP}
pwd
cat /etc/os-release
free -h
df -h .
hostname
nano /etc/hostname
# hostname newname
apt update
apt upgrade
3. Install fail2ban
Let’s try to protect the server from the attacks.
apt install fail2ban python3-systemd
# nano /etc/fail2ban/jail.local
cat <<EOF > /etc/fail2ban/jail.local
[DEFAULT]
backend = systemd
EOF
systemctl restart fail2ban
fail2ban-client status
fail2ban-client status sshd
The default configuration is usually fine, so for the time being we don't need to change anything.
4. Install firewalld
apt install firewalld
firewall-cmd --list-all
firewall-cmd --permanent --zone=public --set-target=DROP
firewall-cmd --reload
5. Generate an SSH key
Let's generate an SSH key pair on the server:
ssh root@${SERVER_IP}
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
ssh-keygen --help
ssh-keygen -f mykey
ls -lh
cat mykey
cat mykey.pub
cat mykey.pub >> ~/.ssh/authorized_keys
cat ~/.ssh/authorized_keys
exit
6. Login with keys
We want to transfer the private key to our local machine (laptop). We
can just copy/paste its content or we can use scp like this:
ssh root@${SERVER_IP} ls
scp root@${SERVER_IP}:mykey .
ls -l
cat mykey
Now let’s try to login using this private key:
ssh -i mykey root@${SERVER_IP}
exit
We should be able to login without a password.
To make things easier, let’s create a configuration file on ~/.ssh
(on the local machine):
touch ~/.ssh/config
chmod 600 ~/.ssh/config
# nano ~/.ssh/config
cat >> ~/.ssh/config <<EOF
Host mycloud
HostName ${SERVER_IP}
Port 22
User root
IdentityFile ~/.ssh/mycloud.key
IdentitiesOnly yes
EOF
mv mykey ~/.ssh/mycloud.key
ls -l ~/.ssh/mycloud.key
# chmod 600 ~/.ssh/mycloud.key
Now we should be able to login just by giving ssh mycloud. We don’t
need to remember the IP of the server, the port, the identity file
(private key), etc. It’s so convenient!
7. Disable password
Now that we can login with an identity file (private key), we can disable the password login on the server, to make it more secure. Someone may guess a password, or may find it by a brute force attack (trying lots of passwords), but it is almost impossible to guess or find a private key.
Edit the file /etc/ssh/sshd_config on the server and make sure to
change the setting PasswordAuthentication from yes to no and
PermitRootLogin from yes to prohibit-password. Also make
sure that KbdInteractiveAuthentication is no:
ssh mycloud
nano /etc/ssh/sshd_config
#PermitRootLogin yes
PermitRootLogin prohibit-password
#PasswordAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
Save the file and restart the sshd service:
systemctl restart sshd
Make sure that you can still login with the private key. Test also that you cannot login with a password anymore.
ssh mycloud
exit
ssh root@${SERVER_IP}
8. Change the SSH port
This is another step for making the server a bit more secure.
-
Edit
/etc/ssh/sshd_configon the server and change the port from22to something else (for example with 4 or 5 digits), like this:ssh mycloud
nano /etc/ssh/sshd_config#Port 22
Port 1234 -
Open the new port in the firewall:
firewall-cmd --zone=public --add-port=1234/tcp
firewall-cmd --list-all -
Restart the SSH service:
systemctl restart sshd
exit -
Change the port in
~/.ssh/configon the local machine and test that you can still login to the server:ssh mycloud
# Connection refused
nano ~/.ssh/config
ssh mycloud -
Make the firewall change permanent:
ssh mycloud
firewall-cmd --permanent --zone=public --add-port=1234/tcp
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --reload
firewall-cmd --list-all
9. Use a script to login
Optional: Use a script to login
The configuration file ~/.ssh/config is convenient, but if you want
to login to the server from anywhere, you need something more
portable. In this case you can use a script like this:
#!/bin/bash
server=10.11.12.13
port=1234
keyfile=$(mktemp)
sed -n -e '/^-----BEGIN/,/^-----END/p' $0 > $keyfile
ssh -i $keyfile -p $port root@$server
rm -f $keyfile
exit 0
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRIRkXtvwyUiLDSLSqV0V0RClTakKDt
SkP/4besU++elsvtZaaY97GSdn0kTqF+0LiBCTOaEROgRHB7aKU8YjwjAAAAqJKniRSSp4
kUAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEhGRe2/DJSIsNIt
KpXRXREKVNqQoO1KQ//ht6xT756Wy+1lppj3sZJ2fSROoX7QuIEJM5oRE6BEcHtopTxiPC
MAAAAhAJXThzR7EhbYn9fykJaG5hUA4h+RCfIkpwo83yl+r/5qAAAADmRhc2hvQGRhc2hh
bWlyAQ==
-----END OPENSSH PRIVATE KEY-----
It includes the IP and the port along with the private key (identity
file), so that you don’t have to remember them. If this script is
called mycloud.sh, make sure to give it the right permissions, like
this:
chmod 700 mycloud.sh
You may also consider using something like these scripts: https://gitlab.com/dashohoxha/server-scripts
10. Cosmetic changes
Better prompt
cat <<'EOF' > ~/.bashrc_custom
# set a better prompt
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;36m\]\u\[\033[01;33m\]@\[\033[01;35m\]\h \[\033[01;33m\]\w \[\033[01;31m\]\$ \[\033[00m\]'
EOF
cat ~/.bashrc_custom
echo 'source ~/.bashrc_custom' >> ~/.bashrc
tail ~/.bashrc
source ~/.bashrc
Install some tools
apt update
apt upgrade
apt install psmisc tmux tmate asciinema
Colorized ls
Let's enable colorized ls output. Edit ~/.bashrc and uncomment
ls aliases:
ls /
nano ~/.bashrc
source ~/.bashrc
ls /
export LS_OPTIONS='--color=auto'
# eval "$(dircolors)"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
Fix vim settings
Enable the dark background setting of vim:
nano /etc/vim/vimrc
set background=dark